Hi all,
The goal here is to establish a lan2lan vpn from a central Noc to multiple Sites. The multiple sites may have conflictual IP addresses.We don't control the VPN devices at the remote sites and their expertise may vary from one site to the other.
To accelerate the tunnels implementation, we would like to minimise the tasks and the complexity of the configuration at the remote sites. And one step would be to eliminate the NATing at the remote sites.We would like to have a solution where all nating would be done in the central NOC PIX, and leave the sites with only the IPSEC configurations. The problem is if you create a static to Nat a site subnet, you cannot create another static for another site using the same subnet.
To avoid this possible conflict we are looking at a possible 2 way policy-nat configuration, but i am not sure if it would work. Eventually i gona retrieve a couple of PIX in the lab to test it , but in the mean time i would appreciate your input on this.
So we have a NOC, subnet IP is NOC We have a remote site, subnet IP is SITE
Site and Noc will agree on a subnet to mask the NOC IPs to the Site. This will be X-NOC.
The Noc will use a X-SITE subnet to mask the Site IPs .
From the Site the device will see the Noc as X-NOC , so the crypto acl at the site would look like this " access-list crypto permit ip SITE X-NOC"
Now in the Noc PIX, I would need to have a crypto acl like this "access-list cryptosite1 permit ip X-NOC SITE"
The masking of NOC would be done based on NOC to X-SITE traffic access-list masknoc permit ip NOC X-SITE static (inside,outside) X-NOC access-list masknoc 0 0
And the masking of the SITE would be done based on SITE to X-NOC traffic access-list masksite permit ip SITE X-NOC static (outside,inside) X-SITE access-list masksite 0 0
I am trying to figure the life of a packet and i get stuck. Let say a PC in the Noc calls a PC at the Site, we have a packet with a Source/ Destination of NOC / X-SITE , this trigger the first static so now the packet becomes X-NOC / X-SITE but will the other static translate X-SITE to SITE at this time ? I am not sure that the crypto will ever be triggered .
I hope i am clear enough , your comments are welcomed, on this configuration or on other ways to accomplish the initial goals.
thanks
Site 1 IP = SITE Crypto acl = access-list crypto permit ip SITE X-NOC
Noc IP = NOC Policy Translated IP = X-NOC (varies for each site) Policy access-list = access-list masknoc permit ip NOC X-SITE Policy NAT = static (inside,outside) X-NOC access-list masknoc 0 0
Policy Translated IP for Site = X-SITE (varies for each site) Policy access-list = access-list masksite permit ip SITE X-NOC Policy NAT = static (outside,inside) X-SITE access-list masksite 0 0 Crypto acl = access-list cryptosite1 permit ip X-NOC SITE