VPN - Private addres conflict

donchr,

global (outside) 1 1.2.3.4
nat (inside) 1 192.168.120.0 255.255.255.192 0 0

Build your ACL's with this address (1.2.3.4).

If the 192.168.120.0/26 net is already PAT'd for internet access or something, just use that address in your ACL's.
If you have a "nat 0 access-list", don't include ACL's for this tunnel.

If you post the code, I can help you put it together.

Tom

Thanks Tom:

Here's some code from my PIX - Is this enough to answer your
question?  I mistyped earlier - it is 192.68.102.0/26


access-list 100 permit ip 192.168.102.0 255.255.255.0 157.x.x.x 255.255.0.0

ip address outside 68.208.80.x 255.255.255.224
ip address inside 192.168.1.254 255.255.255.0
ip local pool pptp-pool 192.168.100.1-192.168.100.50
global (outside) 1 68.208.80.231-68.208.80.239 netmask 255.255.255.224
global (outside) 1 68.208.80.231 netmask 255.255.255.224
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 68.208.x.x 192.168.1.3 netmask 255.255.255.255 0 0
static (inside,outside) 68.208.x.x 192.168.1.1 netmask 255.255.255.255 0 0
static (inside,outside) 68.208.x.x 192.168.1.200 netmask 255.255.255.255 0 0
static (inside,outside) 68.208.x.x 192.168.1.254 netmask 255.255.255.255 0 0
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 68.152.200.125

Well...it'll be easier if we can predict what the traffic will be NAT'd to when it is destined for the tunnel.  Does the entire inside network need to access resources on the other side of the tunnel or just some specific hosts?

Tom

By virtue of the "nat (inside) 1 0.0.0.0 0.0.0.0 0 0" and the matching global, all inside hosts get NAT'd.  Looks like we should first start with NAT'ing the 192.168.120.0/26 hosts to their own global:

global (outside) 2 68.208.80.x <~~~ free public address
nat (inside) 2 192.168.120.0 255.255.255.192 0 0

If this sounds like it fits your situation, we can move on.

Tom

This is the way I see it - I will have one pc and two printers on my lan.  No one on my network necessarily needs to see them but their network (my customer) will need to see them across the VPN (ping).  We will be running their AS/400 software on it.

pc   192.168.1.245 -<-----nat----> 192.168.102.2
prt   192.168.1.246 -<-----nat----> 192.168.102.3
prt   192.168.1.247 -<-----nat----> 192.168.102.4

?? We establish a tunnel.  They send traffic looking for 192.168.102.2 - my PIX nats that address to 192.168.1.245 and of course vice-versa.   Is that possible?

Oh, I see the plan.  The hosts aren't on a seperate network segment.  They are on the same segment as the other inside hosts and you want them to be NAT'd to 192.168.120.x.  If it's only three hosts, I might NAT them all to one address.  I would do it like this:

global (outside) 2 68.208.80.x 255.255.255.255 0 0  <~~~ free public address
nat (inside) 2 192.168.1.245 255.255.255.255 0 0
nat (inside) 2 192.168.1.246 255.255.255.255 0 0
nat (inside) 2 192.168.1.247 255.255.255.255 0 0

This will NAT all the hosts that need to traverse the tunnel to one public address.

I know you said you agreed to use 192.168.120.0/26 for the tunnel but, to be quite honest, I'm not sure the PIX will let you do that.  Maybe there is something I don't know, but you can't use an invalid outside address in your "global (outside) 2" statement.  And, even if the PIX let you (which I have never even tried), you would prevent the hosts from venturing out of your network.

Let me know where we go from here.

Tom

It is very possible but I'm unsure of using a private IP as I mentioned in my previous post.  Either way, the code is the same with the exception of the IP's obviously.  Doesn't hurt to try if what I proposed won't work for you.

I do have available outside addresses that I could use in the global (outside) 2 statement.  How do I relate the VPN connection to this new outside address?  Then - how do I relate the nat (inside) 192.168.1.245...... to the 192.168.120.x hosts?

Is this still possible?

First to address the second part of the question...I thought that there aren't any 192.168.120.x hosts and that was just what you wanted to NAT them to.  What are the IP's that are bound to the NIC cards of the hosts that need to traverse the tunnel?...192.168.1.x or 192.168.120.x??  Once we figure this out, the rest is easy.

Tom

the hosts are:
   192.168.1.245
   192.168.1.246
   192.168.1.247

OK, so we'll forget the 192.168.120.0/26 thing.  Let the customer know that all traffic coming from your PIX to their VPN device will be NAT'd to <insert free public IP here>.  Once everybody agrees, we can move on and get the configuration done.  Sound good?

Tom

Sounds good to me but I'm unclear on how it will work?  Am I creating a VPN site to site connection with the new public IP?

Chris

Yes, you are creating a site-to-site VPN and NAT'ing your side before it traverses the tunnel.  What is the customer's subnet?  I'll post some code for you after you post the subnet of the other side and you can apply it to your situation.

Tom

They have allocated 192.168.102.0/26 as a range that's available on their side.  We can use 192.168.102.2 / 192.168.102.3 / 192.168.102.4 / 192.168.102.5

Chris

Is it  a PIX on their side, also?  Are they NAT'ing their hosts to 192.168.102.x or is that the real IP's of the hosts?

Hi Tom

I'm verifying this - but I believe it's a Checkpoint V4.1.  I also believe that they are valid IP's on their system.

So do the hosts on your side need to access their entire net or just certain hosts?

Only small number of hosts - their AS/400 applications server and maybe one other.

Here's there response:

We will be using Checkpoint NG.  We are not using the 192.168.102.0/26 address space but would route those addresses to you.

Thanks

So they are NAT'ing their side also?  Doesn't really matter but I'm confused why both sides need to be NAT'd.  You said that you use the same internal subnet as the customer.  So who's doing the NAT'ing...you, them or both?  Both is possible but kind of pointless.  I can give you the code to NAT your side and build the ACL's using their side of 192.168.102.0/26.  After that, you can just tell them to build their ACL's using the public address that your side will get NAT'd to.  Let me know and we'll get this show on the road.  I will go ahead and assume that this is the way you want to do it and I'll post the code anyways.

Tom

where 68.208.80.254 = your side NAT'd IP
where 192.168.102.0/26 = customer's net
where 1.2.3.4 = Checkpoint's outside IP

access-list 101 permit ip host 68.208.80.254 192.168.102.0 255.255.255.192
global (outside) 1 68.208.80.254
nat (inside) 1 192.168.1.245 255.255.255.255 0 0
nat (inside) 1 192.168.1.246 255.255.255.255 0 0
nat (inside) 1 192.168.1.247 255.255.255.255 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set tunnel esp-des esp-sha-hmac
crypto map vpnpeer 1 ipsec-isakmp
crypto map vpnpeer 1 match address 101
crypto map vpnpeer 1 set peer 1.2.3.4
crypto map vpnpeer 1 set transform-set tunnel
crypto map vpnpeer 1 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map vpnpeer interface outside
isakmp enable outside
isakmp key xxxxxxxx address 1.2.3.4 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

Tom

Tom

I greatly appreciate your help - I will test this on monday and let you know where I'm at.

Thanks
Chris

No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

 --> ACCEPT:TomCRiley

Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

 
tim_holman
EE Cleanup Volunteer