how to create vpn between 2 firewalls, when I have in the middle, a Cisco 837 with nat????

Hi there:

I want to create a IPSec VPN between two PIX ver 6.3, but in the middle I have a cisco 831 ADSL router just with 1 Homologated IP.

I had implemented NAT overload on the router.

I think we need to configure NAT-T, but the question here is how can be this configuration implemented???

Please i you can help me.

Regards.
NEW-IPSec-scenario.JPG
1ktw08Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

brasslanCommented:
That can be done.  When the VPN packets come in and hit the outside of the DSL router, then you need to port forward (or static nat) those packets to the PIX on the inside.  With NAT traversal turned on for the VPN at the endpoints, then it should work.
0
1ktw08Author Commented:
Ok. Now, applying port forwarding on router ADSL, Remote Office can not access Internet (It suppose that I need to access Internet not using Tunnel, but directly from the router.

This scenario can be implemented too???

Where do I need to activate NAT-T, on bot PIX devices, or on the router????
0
rayb0nesCommented:
Hi,

You need to enable NAT traversal on both endpoints as brasslan said: I think the is "isakmp nat-traversal".

Hope this helps
0
1ktw08Author Commented:
Sorry, I can not establish yet the connectivity between both PIX with CISCO DSL - NAT router in the middle.

I can see from the Inside, the PIX is trying to connect to the remote PIX (located in the outside: 12.172.141.2). In this case, How the remote PIX needs to be configured in order to reach inside PIX. In specific, the configuration of the Transform-set Peer, which must be the IP address that I need to configure, is the DSL outside IP from the router (201.100.17.38), or the Inside local IP for the PIX located on the inside (10,16,17.146)???

Regards.

I have on the PIX located in the Inside, this configuration:


crypto map koamap 10 set peer 12.172.141.2

isakmp nat-traversal
isakmp enable outside
isakmp key ******* address 12.172.141.2 netmask 255.255.255.255

Regards
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
1ktw08Author Commented:
Any idea about this question???'

Regards
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.