Solved

VPN - Private addres conflict

Posted on 2003-10-30
25
966 Views
Last Modified: 2013-11-16
Hello

I need to create a VPN between a customer and myself.  No problem.  The problem is that we both are using the same private address range of 192.168.1.0/24.  I need to set up a pc and two printers on my lan that will connect to their network.  We've agreed to use the 192.168.120.0/.26 segment for this new equipment.  How to a nat inside to the 120 segment?  I'm using a Cisco PIX 515 6.1(1).

Thanks for the help
0
Comment
Question by:donchr
  • 13
  • 10
25 Comments
 
LVL 2

Expert Comment

by:TomCRiley
ID: 9652044
donchr,

global (outside) 1 1.2.3.4
nat (inside) 1 192.168.120.0 255.255.255.192 0 0

Build your ACL's with this address (1.2.3.4).

If the 192.168.120.0/26 net is already PAT'd for internet access or something, just use that address in your ACL's.
If you have a "nat 0 access-list", don't include ACL's for this tunnel.

If you post the code, I can help you put it together.

Tom
0
 

Author Comment

by:donchr
ID: 9652474
Thanks Tom:

Here's some code from my PIX - Is this enough to answer your
question?  I mistyped earlier - it is 192.68.102.0/26


access-list 100 permit ip 192.168.102.0 255.255.255.0 157.x.x.x 255.255.0.0

ip address outside 68.208.80.x 255.255.255.224
ip address inside 192.168.1.254 255.255.255.0
ip local pool pptp-pool 192.168.100.1-192.168.100.50
global (outside) 1 68.208.80.231-68.208.80.239 netmask 255.255.255.224
global (outside) 1 68.208.80.231 netmask 255.255.255.224
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 68.208.x.x 192.168.1.3 netmask 255.255.255.255 0 0
static (inside,outside) 68.208.x.x 192.168.1.1 netmask 255.255.255.255 0 0
static (inside,outside) 68.208.x.x 192.168.1.200 netmask 255.255.255.255 0 0
static (inside,outside) 68.208.x.x 192.168.1.254 netmask 255.255.255.255 0 0
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 68.152.200.125
0
 
LVL 2

Expert Comment

by:TomCRiley
ID: 9652803
Well...it'll be easier if we can predict what the traffic will be NAT'd to when it is destined for the tunnel.  Does the entire inside network need to access resources on the other side of the tunnel or just some specific hosts?

Tom
0
 
LVL 2

Expert Comment

by:TomCRiley
ID: 9652864
By virtue of the "nat (inside) 1 0.0.0.0 0.0.0.0 0 0" and the matching global, all inside hosts get NAT'd.  Looks like we should first start with NAT'ing the 192.168.120.0/26 hosts to their own global:

global (outside) 2 68.208.80.x <~~~ free public address
nat (inside) 2 192.168.120.0 255.255.255.192 0 0

If this sounds like it fits your situation, we can move on.

Tom
0
 

Author Comment

by:donchr
ID: 9652913
This is the way I see it - I will have one pc and two printers on my lan.  No one on my network necessarily needs to see them but their network (my customer) will need to see them across the VPN (ping).  We will be running their AS/400 software on it.

pc   192.168.1.245 -<-----nat----> 192.168.102.2
prt   192.168.1.246 -<-----nat----> 192.168.102.3
prt   192.168.1.247 -<-----nat----> 192.168.102.4

?? We establish a tunnel.  They send traffic looking for 192.168.102.2 - my PIX nats that address to 192.168.1.245 and of course vice-versa.   Is that possible?
0
 
LVL 2

Expert Comment

by:TomCRiley
ID: 9653068
Oh, I see the plan.  The hosts aren't on a seperate network segment.  They are on the same segment as the other inside hosts and you want them to be NAT'd to 192.168.120.x.  If it's only three hosts, I might NAT them all to one address.  I would do it like this:

global (outside) 2 68.208.80.x 255.255.255.255 0 0  <~~~ free public address
nat (inside) 2 192.168.1.245 255.255.255.255 0 0
nat (inside) 2 192.168.1.246 255.255.255.255 0 0
nat (inside) 2 192.168.1.247 255.255.255.255 0 0

This will NAT all the hosts that need to traverse the tunnel to one public address.

I know you said you agreed to use 192.168.120.0/26 for the tunnel but, to be quite honest, I'm not sure the PIX will let you do that.  Maybe there is something I don't know, but you can't use an invalid outside address in your "global (outside) 2" statement.  And, even if the PIX let you (which I have never even tried), you would prevent the hosts from venturing out of your network.

Let me know where we go from here.

Tom

0
 
LVL 2

Expert Comment

by:TomCRiley
ID: 9653083
It is very possible but I'm unsure of using a private IP as I mentioned in my previous post.  Either way, the code is the same with the exception of the IP's obviously.  Doesn't hurt to try if what I proposed won't work for you.
0
 

Author Comment

by:donchr
ID: 9653247

I do have available outside addresses that I could use in the global (outside) 2 statement.  How do I relate the VPN connection to this new outside address?  Then - how do I relate the nat (inside) 192.168.1.245...... to the 192.168.120.x hosts?

Is this still possible?
0
 
LVL 2

Expert Comment

by:TomCRiley
ID: 9653948
First to address the second part of the question...I thought that there aren't any 192.168.120.x hosts and that was just what you wanted to NAT them to.  What are the IP's that are bound to the NIC cards of the hosts that need to traverse the tunnel?...192.168.1.x or 192.168.120.x??  Once we figure this out, the rest is easy.

Tom
0
 

Author Comment

by:donchr
ID: 9654032
the hosts are:
   192.168.1.245
   192.168.1.246
   192.168.1.247
0
 
LVL 2

Expert Comment

by:TomCRiley
ID: 9654958
OK, so we'll forget the 192.168.120.0/26 thing.  Let the customer know that all traffic coming from your PIX to their VPN device will be NAT'd to <insert free public IP here>.  Once everybody agrees, we can move on and get the configuration done.  Sound good?

Tom
0
 

Author Comment

by:donchr
ID: 9657606
Sounds good to me but I'm unclear on how it will work?  Am I creating a VPN site to site connection with the new public IP?

Chris
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 2

Expert Comment

by:TomCRiley
ID: 9658114
Yes, you are creating a site-to-site VPN and NAT'ing your side before it traverses the tunnel.  What is the customer's subnet?  I'll post some code for you after you post the subnet of the other side and you can apply it to your situation.

Tom
0
 

Author Comment

by:donchr
ID: 9658252
They have allocated 192.168.102.0/26 as a range that's available on their side.  We can use 192.168.102.2 / 192.168.102.3 / 192.168.102.4 / 192.168.102.5

Chris
0
 
LVL 2

Expert Comment

by:TomCRiley
ID: 9659840
Is it  a PIX on their side, also?  Are they NAT'ing their hosts to 192.168.102.x or is that the real IP's of the hosts?
0
 

Author Comment

by:donchr
ID: 9659935
Hi Tom

I'm verifying this - but I believe it's a Checkpoint V4.1.  I also believe that they are valid IP's on their system.
0
 
LVL 2

Expert Comment

by:TomCRiley
ID: 9659992
So do the hosts on your side need to access their entire net or just certain hosts?
0
 

Author Comment

by:donchr
ID: 9660028
Only small number of hosts - their AS/400 applications server and maybe one other.
0
 

Author Comment

by:donchr
ID: 9660326
Here's there response:

We will be using Checkpoint NG.  We are not using the 192.168.102.0/26 address space but would route those addresses to you.

Thanks
0
 
LVL 2

Expert Comment

by:TomCRiley
ID: 9660772
So they are NAT'ing their side also?  Doesn't really matter but I'm confused why both sides need to be NAT'd.  You said that you use the same internal subnet as the customer.  So who's doing the NAT'ing...you, them or both?  Both is possible but kind of pointless.  I can give you the code to NAT your side and build the ACL's using their side of 192.168.102.0/26.  After that, you can just tell them to build their ACL's using the public address that your side will get NAT'd to.  Let me know and we'll get this show on the road.  I will go ahead and assume that this is the way you want to do it and I'll post the code anyways.

Tom
0
 
LVL 2

Expert Comment

by:TomCRiley
ID: 9660900
where 68.208.80.254 = your side NAT'd IP
where 192.168.102.0/26 = customer's net
where 1.2.3.4 = Checkpoint's outside IP

access-list 101 permit ip host 68.208.80.254 192.168.102.0 255.255.255.192
global (outside) 1 68.208.80.254
nat (inside) 1 192.168.1.245 255.255.255.255 0 0
nat (inside) 1 192.168.1.246 255.255.255.255 0 0
nat (inside) 1 192.168.1.247 255.255.255.255 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set tunnel esp-des esp-sha-hmac
crypto map vpnpeer 1 ipsec-isakmp
crypto map vpnpeer 1 match address 101
crypto map vpnpeer 1 set peer 1.2.3.4
crypto map vpnpeer 1 set transform-set tunnel
crypto map vpnpeer 1 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map vpnpeer interface outside
isakmp enable outside
isakmp key xxxxxxxx address 1.2.3.4 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

Tom
0
 

Author Comment

by:donchr
ID: 9660918
Tom

I greatly appreciate your help - I will test this on monday and let you know where I'm at.

Thanks
Chris
0
 
LVL 2

Accepted Solution

by:
TomCRiley earned 500 total points
ID: 9660938
The access-list 101 paired with the "crypto map vpnpeer 1 match address 101" is what associates the public IP (68.208.80.254) to the tunnel.  You are probably used to also adding an access-list 100 which would tell the PIX not to NAT the traffic by virtue of the "nat (inside) 0 access-list 100" but, obviously, you will need to leave the access-list 100 out for this tunnel.  Clarification...the "nat 0" will stay where it is, just don't create an access-list 100 to match the access-list 101 because that will reverse our efforts.  Let me know if you need more help.

Tom
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10906901
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

 --> ACCEPT:TomCRiley

Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

 
tim_holman
EE Cleanup Volunteer
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now