Firewall Wizards mailing list archives

RE: Pix to Pix VPN IPSec w/ PAT

From: "Brian A Kee" <bkee () lurhq com>
Date: Mon, 24 Mar 2003 12:16:21 -0500

Here is an example:

# Define a global/nat setting for the traffic you want to use PAT (in this
case we define the external interface IP as the translation IP). We then
define what traffic we want to avoid the nat rules (nat 0) so that
everything jives through the tunnel. We then setup a normal nat rule for all
traffic destined for the all other destinations except the VPN Network.
global (inside) 10 interface
nat (inside) 0 acess-list NAT_0
nat (inside) 10 192.168.1.0 255.255.255.0

# define our allowed outbound services to the internet.
access-list INSIDE permit ip object-group InternalNet any object-group
Allowed_SVC

# define the traffic that we want to encrypt
access-list CRYPTO permit tcp object-group InternalNet object-group VPNNet
object group Crypto_SVC

# define the traffic that we do not want to nat (see nat 0 rule above)
access-list NAT_0 permit tcp object-group InternalNet object-group VPNNet
object group Crypto_SVC

# Define your rypto map entries for the tunnel using the match address
statement to define what traffic is encrypted.
crypto map VPN 20 ipsec-isakmp
crypto map VPN 20 match address CRYPTO
crypto map VPN 20 set peer CryptoHost


I hope this helps!

BAK

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com]On Behalf Of David
Zbonski
Sent: Monday, March 24, 2003 11:03 AM
To: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] Pix to Pix VPN IPSec w/ PAT


I know you can reserve static addresses to use, so that you can do PAT for
other clients and still do IPSEC with a different address.  You will need 2
(or more) IP addresses from your cable modem provider - which you should be
able to get with a business class connection.
You probably can PAT the IPSEC traffic - I know for sure that you can do it
on a regular router with one public IP address by creating a loopback - I
just don't know the exact commands to do it on a PIX.  Do you have one or
more IP addresses to work with?


David Zbonski
Zbonski Consulting
http://www.zbonski.com

Hey all.. newbie to the list here.. but I have a question for you all.

I've looked everywhere, and my cisco rep has yet to get back to me..

Is it possible to perform a CISCO pix501 to pix501 VPN w/ IPSec while still
utilizing PAT.  The scenario is = Business Cable Modem to Business Cable
Modem... thoughts?

Thanks a bunch,
Paul Matuszewski
Systems Administrator
In Office Networks
(305) 799-4871



_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
http://join.msn.com/?page=features/junkmail

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Pix to Pix VPN IPSec w/ PAT Paul Matuszewski (Mar 24)
- Re: Pix to Pix VPN IPSec w/ PAT John Adams (Mar 24)
- Re: Pix to Pix VPN IPSec w/ PAT Dave Rinker (Mar 24)
- <Possible follow-ups>
- Re: Pix to Pix VPN IPSec w/ PAT David Zbonski (Mar 24)
  - RE: Pix to Pix VPN IPSec w/ PAT Brian A Kee (Mar 24)
- RE: Pix to Pix VPN IPSec w/ PAT Justin C. Laporte (Mar 24)
- Re: Pix to Pix VPN IPSec w/ PAT Mike Hoskins (Mar 24)