How to do Nat between two PIX firewall VPN.same network on both sides?

salel.munappil · ‎05-30-2003

Hi,

I have two different sites with same network on both sides. I want to establish VPN tunnel between these two sites. I dont want to change the IP addreses in my Network. I want to do NAT on PIX for the users on one site..How is this possible..

mnaveen · ‎05-30-2003

Hi,

There is this good article from Cisco. Check out the following link.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml

You can also refer to

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b6e1a.shtml

Keep us posted.

Have a nice day,

Naveen

mnaveen@cisco.com

salel.munappil · ‎06-01-2003

Thanks a lot Naveen..the URL you have provided is perfect..

pau · ‎06-01-2003

Hello,

Have been trying for months to get VPN Client 3.x to connect to 3620, following

http://www.cisco.com/warp/public/471/ios-unity.html almost exactly. Authentication seems to go fine, just can't ping anything on the router side.

Any advise/suggestions really appreciated. Using 12.2(8) T8

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname AcceNet3620

!

aaa new-model

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

enable secret xxxxx

enable password xxx

!

username xxx password 0 xxx

ip subnet-zero

!

ip domain-name AcceNet.com

ip name-server 4.2.2.2

ip name-server 4.2.2.1

!

ip audit notify log

ip audit po max-events 100

ip ssh time-out 60

ip ssh authentication-retries 2

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group 3000client

key xxx

dns 192.168.168.2

wins 192.168.168.2

domain AcceNet.com

pool ippool

acl 108

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

fax interface-type fax-mail

mta receive maximum-recipients 0

!

interface FastEthernet0/0

ip address 192.168.168.8 255.255.255.0

ip nat inside

no ip mroute-cache

duplex auto

speed auto

!

interface Ethernet1/0

no ip address

half-duplex

!

interface Ethernet1/1

ip address 216.59.x.x 255.255.255.240

ip nat outside

half-duplex

crypto map clientmap

!

ip local pool ippool 192.168.10.10 192.168.10.20

ip nat inside source list 10 interface Ethernet1/1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 216.59.145.113

ip route 192.168.10.0 255.255.255.0 216.59.145.113

no ip http server

ip pim bidir-enable

!

access-list 10 permit 192.168.168.0 0.0.0.255

access-list 107 permit esp any any

access-list 107 permit udp any any eq isakmp

access-list 107 permit tcp any any eq 22

access-list 107 permit tcp any any eq www

access-list 108 permit ip 192.168.168.0 0.0.0.255 192.168.10.0 0.0.0.255

!