Firewall Wizards mailing list archives

Re: Pix to Pix VPN IPSec w/ PAT

From: John Adams <jna () retina net>
Date: Mon, 24 Mar 2003 12:45:30 -0800 (PST)

On Sun, 23 Mar 2003, Paul Matuszewski wrote:

Hey all.. newbie to the list here.. but I have a question for you all.

I've looked everywhere, and my cisco rep has yet to get back to me..

Is it possible to perform a CISCO pix501 to pix501 VPN w/ IPSec while still
utilizing PAT.  The scenario is = Business Cable Modem to Business Cable
Modem... thoughts?


If you mean running a PAT to the outside world while maintaining the 
internal (RFC1918) addressing between the two locations, this is 
entirely possible. 

Let's say the two networks are 10.20.1.0 and 10.10.1.0:

Location 1) (the one with the 10.60.1.0 network) 

# first create the access lists for the VPN:
access-list 10 permit ip 10.20.1.0 255.255.255.0 10.10.1.0 255.255.255.0 

# You'll have to ensure that you're not natting users through the VPN:
access-list nonat permit ip 10.20.1.0 255.255.255.0 10.10.1.0 255.255.255.0 

# Set up your PAT (replace x.x.x.x with your outside PAT address)
global (outside) 1 x.x.x.x
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

# build your vpn, replace y.y.y.y with your peer's address

crypto ipsec transform-set regular esp-des esp-sha-hmac 
crypto map VPN 10 ipsec-isakmp
crypto map VPN 10 match address 10
crypto map VPN 10 set peer y.y.y.y
crypto map VPN 10 set transform-set regular
isakmp key <your key goes here> address y.y.y.y netmask 255.255.255.255 
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
sysopt connection permit-ipsec

# always apply the maps last. 
isakmp enable outside
crypto map VPN interface outside

Now, invert the access lists for the remote site, and it'll work. 

-john

-- 
J. Adams                                        http://www.retina.net/~jna

The secret of knowing where you are, is knowing what time it is. -- Anonymous



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Pix to Pix VPN IPSec w/ PAT Paul Matuszewski (Mar 24)
- Re: Pix to Pix VPN IPSec w/ PAT John Adams (Mar 24)
- Re: Pix to Pix VPN IPSec w/ PAT Dave Rinker (Mar 24)
- <Possible follow-ups>
- Re: Pix to Pix VPN IPSec w/ PAT David Zbonski (Mar 24)
  - RE: Pix to Pix VPN IPSec w/ PAT Brian A Kee (Mar 24)
- RE: Pix to Pix VPN IPSec w/ PAT Justin C. Laporte (Mar 24)
- Re: Pix to Pix VPN IPSec w/ PAT Mike Hoskins (Mar 24)