Hello,
I need to setup a site to site tunnel with cisco PIX
Local network is 10.61.13.0/24 and remote networks are 10.17.160.0/23 and 10.9.160.0/23
In this situation I'm able to close phase 1 and phase 2 with no prb
But the problem is that for remote networks my local network must be 10.104.204.19/32
I mean, before entering the tunnel, IPs of local network (10.61.13.x) have to translated in 10.104.204.19/32
PIX has to make NAT/PAT so packet sources entering the tunnel are always 10.104.204.19
Where am I wrong?
Thank you very much and here a snippet of my config.
PIX Version 6.3(5)
access-list NoNAT permit ip host 10.104.204.19 10.17.160.0 255.255.254.0
access-list NoNAT permit ip host 10.104.204.19 10.9.160.0 255.255.254.0
global (outside) 1 interface
global (inside) 2 10.104.204.19
nat (inside) 0 access-list NoNAT
nat (inside) 2 10.9.160.0 255.255.254.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 [Intenet gateway] 1
route outside 10.9.160.0 255.255.254.0 [remote VPN peer] 1
route outside 10.17.160.0 255.255.254.0 [remote VPN peer] 1
sysopt connection permit-ipsec
crypto ipsec transform-set TUNNEL esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map CRYPTOMAP 10 ipsec-isakmp
crypto map CRYPTOMAP 10 match address NoNAT
crypto map CRYPTOMAP 10 set pfs group5
crypto map CRYPTOMAP 10 set peer [remote VPN peer]
crypto map CRYPTOMAP 10 set transform-set TUNNEL
crypto map CRYPTOMAP interface outside
isakmp enable outside
isakmp key ******** address [remote VPN peer] netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash sha
isakmp policy 1 group 5
isakmp policy 1 lifetime 28800
