Re: [fw-wiz] Pix to Pix VPN IPSec w/ PAT
From: John Adams (jna@retina.net)
Date: 03/24/03
- Previous message: Melson, Paul: "RE: [fw-wiz] Cisco PIX Questions"
- In reply to: Paul Matuszewski: "[fw-wiz] Pix to Pix VPN IPSec w/ PAT"
- Next in thread: Mike Hoskins: "Re: [fw-wiz] Pix to Pix VPN IPSec w/ PAT"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: John Adams <jna@retina.net> To: Paul Matuszewski <sase@five-elements.com> Date: Mon, 24 Mar 2003 12:45:30 -0800 (PST)
On Sun, 23 Mar 2003, Paul Matuszewski wrote:
> Hey all.. newbie to the list here.. but I have a question for you all.
>
> I've looked everywhere, and my cisco rep has yet to get back to me..
>
> Is it possible to perform a CISCO pix501 to pix501 VPN w/ IPSec while still
> utilizing PAT. The scenario is = Business Cable Modem to Business Cable
> Modem... thoughts?
If you mean running a PAT to the outside world while maintaining the
internal (RFC1918) addressing between the two locations, this is
entirely possible.
Let's say the two networks are 10.20.1.0 and 10.10.1.0:
Location 1) (the one with the 10.60.1.0 network)
# first create the access lists for the VPN:
access-list 10 permit ip 10.20.1.0 255.255.255.0 10.10.1.0 255.255.255.0
# You'll have to ensure that you're not natting users through the VPN:
access-list nonat permit ip 10.20.1.0 255.255.255.0 10.10.1.0 255.255.255.0
# Set up your PAT (replace x.x.x.x with your outside PAT address)
global (outside) 1 x.x.x.x
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
# build your vpn, replace y.y.y.y with your peer's address
crypto ipsec transform-set regular esp-des esp-sha-hmac
crypto map VPN 10 ipsec-isakmp
crypto map VPN 10 match address 10
crypto map VPN 10 set peer y.y.y.y
crypto map VPN 10 set transform-set regular
isakmp key <your key goes here> address y.y.y.y netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
sysopt connection permit-ipsec
# always apply the maps last.
isakmp enable outside
crypto map VPN interface outside
Now, invert the access lists for the remote site, and it'll work.
-john
-- J. Adams http://www.retina.net/~jna The secret of knowing where you are, is knowing what time it is. -- Anonymous _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Melson, Paul: "RE: [fw-wiz] Cisco PIX Questions"
- In reply to: Paul Matuszewski: "[fw-wiz] Pix to Pix VPN IPSec w/ PAT"
- Next in thread: Mike Hoskins: "Re: [fw-wiz] Pix to Pix VPN IPSec w/ PAT"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
