Dynamic Outside NAT|
|
|
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||
|
Posted by Darren Green on November 30, 2005, 4:43 pm
Please log in for more thread options
Any help on this would be appreciated. If I want to implement dynamic outside NAT but my 2 x outside sites have the same IP ranges is there a workaround. --------Site 1 ---192.168.1.X Central Site (inside)----PIX---(outside) say 10.1.0.1 /24 --------Site 2 ---192.168.1.X I have seen examples where outside NAT allows me to translate address to a suitable address range on the inside. But what happens if the 2 x remote sites have the same IP's ranges (NB The above remote IP ranges belong to different companies). Can't see an expample on Cisco.com but still searching. How could I distinguish between the 2. Regards Darren | |||||||||||||
|
Posted by mcaissie on November 30, 2005, 5:47 pm
Please log in for more thread options You can always do double policy NATing. I got it to work in lab, but didn't go further. There is the problem that each site sees the central inside subnet with different IPs, wich was a problem in my case. Central Site translation access-list Site1 permit ip [Central Inside real subnet] [Site1 translated subnet] access-list Site2 permit ip [Central Inside real subnet] [Site2 translated subnet] static (inside,outside) [Central translated subnet for site1] access-list Site1 0 0 static (inside,outside) [Central translated subnet for site2] access-list Site2 0 0 Sites translations access-list b-Site1 permit ip [Site1 Real subnet] [Central translated subnet for site1] access-list b-Site2 permit ip [Site2 Real subnet] [Central translated subnet for site2] static (outside,inside) [Site1 translated subnet] access-list b-Site1 0 0 static (outside,inside) [Site2 translated subnet] access-list b-Site2 0 0 Crypto ACLs access-list Map1 permit ip [Central translated subnet for site1] [Site1 Real subnet] access-list Map2 permit ip [Central translated subnet for site2] [Site2 Real subnet] crypto map xxxxx 10 ipsec-isakmp crypto map xxxxx 10 match address Map1 crypto map xxxxx 10 set peer x.x.x.x crypto map xxxxx 10 set transform-set xxxxxx crypto map xxxxx 11 ipsec-isakmp crypto map xxxxx 11 match address Map2 crypto map xxxxx 11 set peer x.x.x.x crypto map xxxxx 11 set transform-set xxxxxx crypto map xxxxx interface outside This way when the central calls a site using the Site's translated address, the site will see the packet coming from the central translated addresses for this specific site. This way you can have crypto maps that are mirror image, without any IP conflicts. But as you may saw in my other post "VRF aware IPSEC" , i am investigating others ways to resolve those kind of issus. | |||||||||||||
| Similar Threads | Posted |
| VPN between peers with dynamic IP address and dynamic DNS | February 4, 2008, 12:28 pm |
| Dynamic Outside NAT | November 30, 2005, 4:43 pm |
| dynamic? | March 3, 2006, 2:07 am |
| NAT to dynamic IP? | August 1, 2008, 2:03 am |
| Dynamic Outside Translation | October 17, 2005, 4:29 pm |
| Dynamic bandwidth | December 14, 2005, 2:49 pm |
| Dynamic DNS woes | January 7, 2006, 1:11 pm |
| PIX dynamic VPN question | June 19, 2006, 10:40 am |
| Static & Dynamic NAT | July 4, 2006, 11:31 am |
| dynamic ban-list | July 7, 2006, 5:14 am |
| Re: Dynamic NAT Failure | September 1, 2006, 9:53 am |
| Dynamic NAT Failure | August 28, 2006, 11:54 am |
| Dynamic to Static PIX to PIX VPN | September 19, 2006, 10:34 am |
| Question, Dynamic VPN | September 22, 2006, 8:43 am |
| Cisco 501 PIX and Dynamic IPs | October 10, 2006, 7:12 pm |
|
Home Cabling GuideFinally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Learn More |
>
> Any help on this would be appreciated.
>
> If I want to implement dynamic outside NAT but my 2 x outside sites have
> the same IP ranges is there a workaround.
>
> --------Site 1 ---192.168.1.X
> Central Site (inside)----PIX---(outside)
> say 10.1.0.1 /24 --------Site 2 ---192.168.1.X
>
> I have seen examples where outside NAT allows me to translate address to a
> suitable address range on the inside. But what happens if the 2 x remote
> sites have the same IP's ranges (NB The above remote IP ranges belong to
> different companies).
>
> Can't see an expample on Cisco.com but still searching.
>
> How could I distinguish between the 2.
>
> Regards
>
> Darren