Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1037
  • Last Modified:

VPN - Private addres conflict

Hello

I need to create a VPN between a customer and myself.  No problem.  The problem is that we both are using the same private address range of 192.168.1.0/24.  I need to set up a pc and two printers on my lan that will connect to their network.  We've agreed to use the 192.168.120.0/.26 segment for this new equipment.  How to a nat inside to the 120 segment?  I'm using a Cisco PIX 515 6.1(1).

Thanks for the help
0
donchr
Asked:
donchr
  • 13
  • 10
1 Solution
 
TomCRileyCommented:
donchr,

global (outside) 1 1.2.3.4
nat (inside) 1 192.168.120.0 255.255.255.192 0 0

Build your ACL's with this address (1.2.3.4).

If the 192.168.120.0/26 net is already PAT'd for internet access or something, just use that address in your ACL's.
If you have a "nat 0 access-list", don't include ACL's for this tunnel.

If you post the code, I can help you put it together.

Tom
0
 
donchrAuthor Commented:
Thanks Tom:

Here's some code from my PIX - Is this enough to answer your
question?  I mistyped earlier - it is 192.68.102.0/26


access-list 100 permit ip 192.168.102.0 255.255.255.0 157.x.x.x 255.255.0.0

ip address outside 68.208.80.x 255.255.255.224
ip address inside 192.168.1.254 255.255.255.0
ip local pool pptp-pool 192.168.100.1-192.168.100.50
global (outside) 1 68.208.80.231-68.208.80.239 netmask 255.255.255.224
global (outside) 1 68.208.80.231 netmask 255.255.255.224
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 68.208.x.x 192.168.1.3 netmask 255.255.255.255 0 0
static (inside,outside) 68.208.x.x 192.168.1.1 netmask 255.255.255.255 0 0
static (inside,outside) 68.208.x.x 192.168.1.200 netmask 255.255.255.255 0 0
static (inside,outside) 68.208.x.x 192.168.1.254 netmask 255.255.255.255 0 0
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 68.152.200.125
0
 
TomCRileyCommented:
Well...it'll be easier if we can predict what the traffic will be NAT'd to when it is destined for the tunnel.  Does the entire inside network need to access resources on the other side of the tunnel or just some specific hosts?

Tom
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
TomCRileyCommented:
By virtue of the "nat (inside) 1 0.0.0.0 0.0.0.0 0 0" and the matching global, all inside hosts get NAT'd.  Looks like we should first start with NAT'ing the 192.168.120.0/26 hosts to their own global:

global (outside) 2 68.208.80.x <~~~ free public address
nat (inside) 2 192.168.120.0 255.255.255.192 0 0

If this sounds like it fits your situation, we can move on.

Tom
0
 
donchrAuthor Commented:
This is the way I see it - I will have one pc and two printers on my lan.  No one on my network necessarily needs to see them but their network (my customer) will need to see them across the VPN (ping).  We will be running their AS/400 software on it.

pc   192.168.1.245 -<-----nat----> 192.168.102.2
prt   192.168.1.246 -<-----nat----> 192.168.102.3
prt   192.168.1.247 -<-----nat----> 192.168.102.4

?? We establish a tunnel.  They send traffic looking for 192.168.102.2 - my PIX nats that address to 192.168.1.245 and of course vice-versa.   Is that possible?
0
 
TomCRileyCommented:
Oh, I see the plan.  The hosts aren't on a seperate network segment.  They are on the same segment as the other inside hosts and you want them to be NAT'd to 192.168.120.x.  If it's only three hosts, I might NAT them all to one address.  I would do it like this:

global (outside) 2 68.208.80.x 255.255.255.255 0 0  <~~~ free public address
nat (inside) 2 192.168.1.245 255.255.255.255 0 0
nat (inside) 2 192.168.1.246 255.255.255.255 0 0
nat (inside) 2 192.168.1.247 255.255.255.255 0 0

This will NAT all the hosts that need to traverse the tunnel to one public address.

I know you said you agreed to use 192.168.120.0/26 for the tunnel but, to be quite honest, I'm not sure the PIX will let you do that.  Maybe there is something I don't know, but you can't use an invalid outside address in your "global (outside) 2" statement.  And, even if the PIX let you (which I have never even tried), you would prevent the hosts from venturing out of your network.

Let me know where we go from here.

Tom

0
 
TomCRileyCommented:
It is very possible but I'm unsure of using a private IP as I mentioned in my previous post.  Either way, the code is the same with the exception of the IP's obviously.  Doesn't hurt to try if what I proposed won't work for you.
0
 
donchrAuthor Commented:

I do have available outside addresses that I could use in the global (outside) 2 statement.  How do I relate the VPN connection to this new outside address?  Then - how do I relate the nat (inside) 192.168.1.245...... to the 192.168.120.x hosts?

Is this still possible?
0
 
TomCRileyCommented:
First to address the second part of the question...I thought that there aren't any 192.168.120.x hosts and that was just what you wanted to NAT them to.  What are the IP's that are bound to the NIC cards of the hosts that need to traverse the tunnel?...192.168.1.x or 192.168.120.x??  Once we figure this out, the rest is easy.

Tom
0
 
donchrAuthor Commented:
the hosts are:
   192.168.1.245
   192.168.1.246
   192.168.1.247
0
 
TomCRileyCommented:
OK, so we'll forget the 192.168.120.0/26 thing.  Let the customer know that all traffic coming from your PIX to their VPN device will be NAT'd to <insert free public IP here>.  Once everybody agrees, we can move on and get the configuration done.  Sound good?

Tom
0
 
donchrAuthor Commented:
Sounds good to me but I'm unclear on how it will work?  Am I creating a VPN site to site connection with the new public IP?

Chris
0
 
TomCRileyCommented:
Yes, you are creating a site-to-site VPN and NAT'ing your side before it traverses the tunnel.  What is the customer's subnet?  I'll post some code for you after you post the subnet of the other side and you can apply it to your situation.

Tom
0
 
donchrAuthor Commented:
They have allocated 192.168.102.0/26 as a range that's available on their side.  We can use 192.168.102.2 / 192.168.102.3 / 192.168.102.4 / 192.168.102.5

Chris
0
 
TomCRileyCommented:
Is it  a PIX on their side, also?  Are they NAT'ing their hosts to 192.168.102.x or is that the real IP's of the hosts?
0
 
donchrAuthor Commented:
Hi Tom

I'm verifying this - but I believe it's a Checkpoint V4.1.  I also believe that they are valid IP's on their system.
0
 
TomCRileyCommented:
So do the hosts on your side need to access their entire net or just certain hosts?
0
 
donchrAuthor Commented:
Only small number of hosts - their AS/400 applications server and maybe one other.
0
 
donchrAuthor Commented:
Here's there response:

We will be using Checkpoint NG.  We are not using the 192.168.102.0/26 address space but would route those addresses to you.

Thanks
0
 
TomCRileyCommented:
So they are NAT'ing their side also?  Doesn't really matter but I'm confused why both sides need to be NAT'd.  You said that you use the same internal subnet as the customer.  So who's doing the NAT'ing...you, them or both?  Both is possible but kind of pointless.  I can give you the code to NAT your side and build the ACL's using their side of 192.168.102.0/26.  After that, you can just tell them to build their ACL's using the public address that your side will get NAT'd to.  Let me know and we'll get this show on the road.  I will go ahead and assume that this is the way you want to do it and I'll post the code anyways.

Tom
0
 
TomCRileyCommented:
where 68.208.80.254 = your side NAT'd IP
where 192.168.102.0/26 = customer's net
where 1.2.3.4 = Checkpoint's outside IP

access-list 101 permit ip host 68.208.80.254 192.168.102.0 255.255.255.192
global (outside) 1 68.208.80.254
nat (inside) 1 192.168.1.245 255.255.255.255 0 0
nat (inside) 1 192.168.1.246 255.255.255.255 0 0
nat (inside) 1 192.168.1.247 255.255.255.255 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set tunnel esp-des esp-sha-hmac
crypto map vpnpeer 1 ipsec-isakmp
crypto map vpnpeer 1 match address 101
crypto map vpnpeer 1 set peer 1.2.3.4
crypto map vpnpeer 1 set transform-set tunnel
crypto map vpnpeer 1 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map vpnpeer interface outside
isakmp enable outside
isakmp key xxxxxxxx address 1.2.3.4 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

Tom
0
 
donchrAuthor Commented:
Tom

I greatly appreciate your help - I will test this on monday and let you know where I'm at.

Thanks
Chris
0
 
TomCRileyCommented:
The access-list 101 paired with the "crypto map vpnpeer 1 match address 101" is what associates the public IP (68.208.80.254) to the tunnel.  You are probably used to also adding an access-list 100 which would tell the PIX not to NAT the traffic by virtue of the "nat (inside) 0 access-list 100" but, obviously, you will need to leave the access-list 100 out for this tunnel.  Clarification...the "nat 0" will stay where it is, just don't create an access-list 100 to match the access-list 101 because that will reverse our efforts.  Let me know if you need more help.

Tom
0
 
Tim HolmanCommented:
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

 --> ACCEPT:TomCRiley

Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

 
tim_holman
EE Cleanup Volunteer
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 13
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now