PIX to PIX VPN With a Cisco 2650 Router

Posted on 2011-05-04
Last Modified: 2012-05-11
Hello all:

I'm going to be setting up a network using the following devices;  Cable Modem (1st), Cisco 2650 Router (2nd), and Cisco PIX 501 (3rd).  Currently, the cable modem is connected to the PIX and I have a PIX to PIX VPN already established from my work to home and it works fine.  I'm going to add a router to the mix at home so I can route to other networks between the PIX and router but I have no idea how to set this up.  Would someone be willing to give me some configuration examples?  Thanks very much.
Question by:Music_Man608
    LVL 18

    Accepted Solution

    Your problem is going to be public IP space.  Do you have a single IP address or more than one?  If you have a single address, you will need to NAT on the  2650 and pass the VPN traffic through to the PIX to complete the tunnel.  If you have multiple addresses that can be subnetted (probably unlikely), you may be able to use public address space on the 2650.  But I doubt that's likely.  If you have more than one address but can't subnet off a group, then you'll still NAT on the 2650, but you will be able to assign a different address to NAT to the PIX.  You will want to no-NAT all your traffic on the PIX.

    If we understand more about your specific situation, we can get more specific with the configs.

    Author Comment

    I only have one public IP address frm my ISP.  Is there somewhere I can send my configs to?  I don't want to show the workd but I wouldn't mnd showing the expert.  Thanks.

    Author Comment

    Ok, I just stried to set up the Router and the PIX together.  It was a disaster.  I've attached the test files if someone would be so kind as to tell me wat I did wrong.  Thanks a bunch.
    LVL 18

    Assisted Solution

    My suspicion is the PIX is NATing traffic to another private address (10.42.42.x) and the Cisco is trying to route that to the Internet.  The ISP won't accept that.  You need to NAT at the Cisco router, which you've started but is incomplete.  My suggestion would be to no-nat traffic on the PIX (use NAT 0) and then NAT on the Cisco to the public IP address you have from the ISP.  On the PIX, remove the existing NAT and GLOBAL commands and configure "nat (inside) 0 0 0".  On the Cisco what you've missed is you have to specify what's getting NATed, not just what the inside and outside interfaces are.

    access-list 1 permit any
    ip nat inside source list 1 interface ethernet0/0 overload

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Suggested Solutions

    When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
    Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now