126.96.36.199 188.8.131.52 ADSL Router ADSL Router
10.0.11.254 10.0.0.22.254 | |
10.0.11.1 10.0.22.1 PIX 506E PIX 501
192.168.11.254 192.168.22.254 | | New York LAN San Jose LAN
I am trying to set up a hardware VPN based on the link above, but the multiple internet IP setup in the document has confused me. The following is what I intend to add to the "NewYork" PIX. I would appreciate it if someone could fill in the question marks!!! As well as any lines I need to add in order to allow ICMP and TCP between the 2 lans.
'crypto' is not used as a prefix for 'isakmp key' in PIX 5 or PIX 6, and neither your 501 nor 506E support PIX 7.
Whatever you like. Your ADSL router is going to NAT it anyhow, so anything you put in there for the global addresses only has to match what the ADSL router is expecting. You might as well not even use a global pool (the first kind of global), since your ADSL router is going to be mapping everything to a single IP address.
184.108.40.206 -- the IP would match your isakmp key statement
Here and in the isakmp key statement, the IP you need to use is the IP that you need to address the packets to in order to reach the other machine. If something along the way is going to NAT your IPSec packets, then you need to use the NAT'd address because that's what you are going to see in the packets that originate from the other PIX.
You have the non-trivial problem of getting your ADSL routers to de-NAT the received packets and send them on to the PIXes.
Your setup would be much easier if you could spare some public IPs for the PIX themselves, addresses that were not NAT'd by the ADSL router.
Whether you will be able to do it at all will depend upon how the ADSL routers can be configured. *If* you can configure them so that they send pretty much all incoming traffic on to the PIXes, then configure as follows. The below requires 6.3(*)
ADSL modem 1:
outside IP address: 220.127.116.11 inside address: 10.y.y.2 255.255.255.0 configure to nat all outgoing 10.x.y.0 255.255.255.0 to 18.104.22.168
If you want to control the traffic between the two sites more precisely, you will need to omit the sysopt connection permit-ipsec and you will need to add access-list and access-group statements. Those statements should refer to the inside of city1 as 10.x.x.*, to the inside of city2 as 10.z.z.*. At city1, host 10.y.y.1 refers to communication from the local PIX itself (e.g., if you want to use the PIX itself to ping something at the other side); conversely, at city2, host 10.w.w.w.1 refers to communication from that local PIX itself. However, at city1, communication from the remote PIX itself will be seen as host 22.214.171.124, and at city2, communication from the city1 PIX itself will be seen as host 126.96.36.199 .
It really doesn't matter, though. Anything supported by the PIXes that you can get the PIXes to agree on is fine. I also left out the isakmp policy definitions because they aren't important to your question of what IPs to use where; copy the ones you have now.
With that configuration, not only would icmp work between the lans, but icmp would also work from either lan to the outside interface of the other PIX. But you'll be wanting to put in 'icmp' commands to block random people on the net from rerouting your packets:
I am still confused about whether I should see "20" matched up on a different line, as well as what further isakmp (and other) lines might be required.
Would someone mind posting a full config for each PIX, where each site only has 1 internet IP, and NAT is in use, and where icmp is permitted between the 2 sites. Or refer me to a website which contains the same.
Seems a big ask, but would be incredibly helpful. Nick