Can anyone give the syntax on how to perform this, or put a link to an example?
I have two Pix 501s that need a site to site VPN. Both have unique public addresses, however on the inside, they both have
192.168.168.0/24 configured.Cisco has examples of doing this, but I couldn't find an example for overlapping subnets involving pixes.
Any help would be greatly appreciated. Thanks!!!
-rws
Reply
Well, I do not have an exact example, but other than the VPN commands, basically what you need to do is double natting. here's what it would look like.. Basically, everyone is NATted and from site A, you appear to be 192.168.1.0 and B, 192.168.2.0.
On PIX A : you may reach site B with 192.168.2.0 addresses
hostname pixa isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encrypt 3des ! put PIX B address here... crypto isakmp key cisco1234 address 1.2.3.4 (PIX B ADDRESS) crypto ipsec transform-set strong esp-3des esp-sha-hmac
! Policy NAT access-list - specify conditions under which to NAT for VPN ! and match interesting VPN traffic access-list vpnnat permit ip 192.168.168.0 255.255.255.0 192.168.2.0
255.255.255.0 ! perhaps you may want to use : ! static (inside,outside) 192.168.1.0 netmask 255.255.255.0 access-list vpnnat ! or something similar.. not sure... instead of nat 1 and global1.. ! in both in site A and B. nat 1 (inside) access-list vpnnat global 1 (outside) 192.168.1.0 192.168.1.255 ! nat everyone else going to Internet nat (inside) 1 0 0 ! your public IP address or whatever PAT IP add you want global (outside) 1 a.b.c.dcrypto map mymap 20 ipsec-isakmp crypto map mymap 20 match address vpnnat crypto map mymap 20 set transform-set strong ! define remote peer crypto map mymap 20 set peer A.b.C.D crypto map mymap interface outside sysopt connection permit-ipsec
On PIX B : you may reach site A with 192.168.1.0 addresses
hostname pixb isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encrypt 3des ! put PIX A address here... crypto isakmp key cisco1234 address 1.2.3.4 (PIX A ADDRESS) crypto ipsec transform-set strong esp-3des esp-sha-hmac
! Policy NAT access-list - specify conditions under which to NAT for VPN access-list vpnnat permit ip 192.168.168.0 255.255.255.0 192.168.1.0
255.255.255.0 nat 1 (inside) access-list vpnnat global 1 (outside) 192.168.2.0 192.168.2.255 ! nat everyone else going to Internet nat (inside) 1 0 0 ! your public IP address or whatever PAT IP add you want global (outside) 1 a.b.c.dcrypto map mymap 20 ipsec-isakmp crypto map mymap 20 match address vpnnat crypto map mymap 20 set transform-set strong ! define remote peer crypto map mymap 20 set peer A.b.C.D crypto map mymap interface outside sysopt connection permit-ipsec
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.