Solved

Pix to Pix VPN Question with NAT

Posted on 2004-08-18
4
265 Views
Last Modified: 2010-04-11
I have a question about a site to site VPN between a Pix 501 and a Pix 506e.
I am going to be setting up a VPN connection so a client is able to access 3 of our servers.
The problem is that we are both using the same address ranges for our internal networks.
So I am guessing that the only way to do this would be to use some sort of NAT.
I guess my question would be is this the easiest way to do this and if so what the commands would be.

This is really general I know, but I just wanted to get to the point.
Any help you could provide would be much appreciated.

Thanks

Nick
0
Comment
Question by:Paisley-Consulting
4 Comments
 
LVL 7

Expert Comment

by:wparrott
ID: 11838201
Take a look at this document on the Cisco website:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml#step3

The problem you are going to have is routing the traffic from your client's network to your servers. Because you are both in the same IP range, and I am assuming the same subnet, their Pix will view traffic destined for your servers as local traffic, not routed traffic. If you, or your client, could use different subnets, it wouldn't be an issue and a standard Pix-to-Pix VPN tunnel would work, with no need to perform NAT translation. See this document to explain it in greater detail:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800a2cce.shtml

My knowledge on this subject is limited but I noticed that no one had repied to your question yet. Good luck...
0
 

Author Comment

by:Paisley-Consulting
ID: 11840463
Thank You for you help and the links, I appreciate it.

The big problem is that we are both using the 10.x.x.x /8 address range for our internal networks..  That is not really something you can change very easily.  We have a remote office with a 192.168.10.x range setting up the VPN with a office in India that has the 10.x.x.x range.  The problem is that our remote office is connected to our own 10.x.x.x network, so like you said the packets will be bouncing all over the place.  If anyone has any help on how you would NAT this, or any other way you would be able to set this up.

Thanks in advance.
0
 

Expert Comment

by:dstarfire
ID: 11846259
Too bad you can't just change the addresses on the shared servers to something totally unique, and run that through the nat.  Unfortuantely, that'd require running all local access to those servers through a router which could create some headaches.
0
 
LVL 1

Accepted Solution

by:
BEEIT earned 500 total points
ID: 11851473
You should translate the internal Adress range to external PAT with a unique external IP adress.
After that the VPN is not connected with the internal IP range but with the public NAT ip.

To do that, you should use an internal NAT device to connect to the PIX.
(Probably a Windows Server (Router), Hardware Router or another PIX)

INTERNAL_NETWORK -> NAT_DEVICE -> PIX_DEVICE -> INTERNET ->...
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Provisioning vcpu for VM (cisco virl) 4 38
Unauthorized Network Devices Appearing on Home Network 20 112
Cisco switch suggestion 5 51
Internet Service Provider 3 51
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question