Remote VPN router behind internet access routerPosted by Markus Marquardt on June 14, 2007, 8:34 am
Please log in for more thread options
Hello,
maybe someone could give me a hint about this scenario:
<local LAN>
|
|
<PIX515e/7.2>
|Public IP
|
|
<Internet>
|
|
|Public IP
<Internet gw>
|Private IP
|
|Private IP
<VPN gateway>
|Private IP
|
<remote LAN>
I want to establish a VPN connection between our local PIX and the
remote VPN gateway. The remote gateway is not directly connected to the
internet. It's connected to <Internet gw> which forwards all packets and
is doing 1:1 NAT between the public IP address and the private IP address.
When trying to establish the VPN tunnel, on the PIX i get something like
Group = <something>, IP = <Public IP internet GW>, Rejecting IPSec
tunnel: no matching crypto map entry for remote proxy <Private IP VPN
gateway>/255.255.255.255/0/0 local proxy <Public IP
PIX>/255.255.255.255/0/0 on interface outside
The reason are the different public/private addresses which are seen for
the remote VPN gateway. Is there any way to get around this? NAT-T?
Which address should be used for the crypto map: The public or private
address of the remote VPN gw?
With kind regards
Markus
maybe someone could give me a hint about this scenario:
<local LAN>
|
|
<PIX515e/7.2>
|Public IP
|
|
<Internet>
|
|
|Public IP
<Internet gw>
|Private IP
|
|Private IP
<VPN gateway>
|Private IP
|
<remote LAN>
I want to establish a VPN connection between our local PIX and the
remote VPN gateway. The remote gateway is not directly connected to the
internet. It's connected to <Internet gw> which forwards all packets and
is doing 1:1 NAT between the public IP address and the private IP address.
When trying to establish the VPN tunnel, on the PIX i get something like
Group = <something>, IP = <Public IP internet GW>, Rejecting IPSec
tunnel: no matching crypto map entry for remote proxy <Private IP VPN
gateway>/255.255.255.255/0/0 local proxy <Public IP
PIX>/255.255.255.255/0/0 on interface outside
The reason are the different public/private addresses which are seen for
the remote VPN gateway. Is there any way to get around this? NAT-T?
Which address should be used for the crypto map: The public or private
address of the remote VPN gw?
With kind regards
Markus
Posted by Newbie72 on June 14, 2007, 9:57 am
Please log in for more thread options
question is what type of hardware are you connecting to?
Check out the below link it should be able to answer most of your
questions if you r using PIX 6.3
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sit2site.html
here is a link if you are using Pix 7.x or ASA appliance
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml
Posted by Markus Marquardt on June 14, 2007, 10:40 am
Please log in for more thread options
Newbie72 wrote:
See above...
Remote internet gw: I don't know
Remote VPN gw: Checkpoint-Something
The problem is not to create an vpn connection at all, the problem is
that the remote vpn gw is connected via a rfc1918 transfer network to
the internet.
Regards
Markus
See above...
Remote internet gw: I don't know
Remote VPN gw: Checkpoint-Something
The problem is not to create an vpn connection at all, the problem is
that the remote vpn gw is connected via a rfc1918 transfer network to
the internet.
Regards
Markus
| This Thread |
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
Home Cabling Guide
Finally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Order Now for Instant Download |
> maybe someone could give me a hint about this scenario:
> <local LAN>
> |
> |
> <PIX515e/7.2>
> |Public IP
> |
> |
> <Internet>
> |
> |
> |Public IP
> <Internet gw>
> |Private IP
> |
> |Private IP
> <VPN gateway>
> |Private IP
> |
> <remote LAN>
> I want to establish a VPN connection between our local PIX and the
> remote VPN gateway. The remote gateway is not directly connected to the
> internet. It's connected to <Internet gw> which forwards all packets and
> is doing 1:1 NAT between the public IP address and the private IP address.
> When trying to establish the VPN tunnel, on the PIX i get something like
> Group = <something>, IP = <Public IP internet GW>, Rejecting IPSec
> tunnel: no matching crypto map entry for remote proxy <Private IP VPN
> gateway>/255.255.255.255/0/0 local proxy <Public IP
> PIX>/255.255.255.255/0/0 on interface outside
> The reason are the different public/private addresses which are seen for
> the remote VPN gateway. Is there any way to get around this? NAT-T?
> Which address should be used for the crypto map: The public or private
> address of the remote VPN gw?
> With kind regards
> Markus