Firewall Wizards mailing list archives
Re: Pix to Pix VPN IPSec w/ PAT
From: John Adams <jna () retina net>
Date: Mon, 24 Mar 2003 12:45:30 -0800 (PST)
On Sun, 23 Mar 2003, Paul Matuszewski wrote:
Hey all.. newbie to the list here.. but I have a question for you all. I've looked everywhere, and my cisco rep has yet to get back to me.. Is it possible to perform a CISCO pix501 to pix501 VPN w/ IPSec while still utilizing PAT. The scenario is = Business Cable Modem to Business Cable Modem... thoughts?
If you mean running a PAT to the outside world while maintaining the internal (RFC1918) addressing between the two locations, this is entirely possible. Let's say the two networks are 10.20.1.0 and 10.10.1.0: Location 1) (the one with the 10.60.1.0 network) # first create the access lists for the VPN: access-list 10 permit ip 10.20.1.0 255.255.255.0 10.10.1.0 255.255.255.0 # You'll have to ensure that you're not natting users through the VPN: access-list nonat permit ip 10.20.1.0 255.255.255.0 10.10.1.0 255.255.255.0 # Set up your PAT (replace x.x.x.x with your outside PAT address) global (outside) 1 x.x.x.x nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 0 0 # build your vpn, replace y.y.y.y with your peer's address crypto ipsec transform-set regular esp-des esp-sha-hmac crypto map VPN 10 ipsec-isakmp crypto map VPN 10 match address 10 crypto map VPN 10 set peer y.y.y.y crypto map VPN 10 set transform-set regular isakmp key <your key goes here> address y.y.y.y netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 1 sysopt connection permit-ipsec # always apply the maps last. isakmp enable outside crypto map VPN interface outside Now, invert the access lists for the remote site, and it'll work. -john -- J. Adams http://www.retina.net/~jna The secret of knowing where you are, is knowing what time it is. -- Anonymous _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Pix to Pix VPN IPSec w/ PAT Paul Matuszewski (Mar 24)
- Re: Pix to Pix VPN IPSec w/ PAT John Adams (Mar 24)
- Re: Pix to Pix VPN IPSec w/ PAT Dave Rinker (Mar 24)
- <Possible follow-ups>
- Re: Pix to Pix VPN IPSec w/ PAT David Zbonski (Mar 24)
- RE: Pix to Pix VPN IPSec w/ PAT Brian A Kee (Mar 24)
- RE: Pix to Pix VPN IPSec w/ PAT Justin C. Laporte (Mar 24)
- Re: Pix to Pix VPN IPSec w/ PAT Mike Hoskins (Mar 24)