03-09-2011 08:30 AM
Hi! I have a hub and spoke VPN network I need to setup for our clients to access. I have 3 endpoints in this example: VPN Concentrator, Pix 515e, and Linksys RV042. The Concentrator is at our parent company's site, the Pix 515e is at our data center, and the RV042 is at the client's site. What I have currently is a VPN connection between our Pix 515e and the Concentrator and another VPN between our Pix 515e and the RV042. What I need is for the server at the client site (RV042) to talk to the Concentrator network through our Pix 515e. I also need the traffic to be NATed so it looks like it's coming from the same network subnet on our Pix 515e to the Concentrator.
Concentrator (SPOKE): 10.1.6.x
Pix 515e (HUB): 172.16.3.x
RV042 (SPOKE): 192.168.71.x
Pix 515e (HUB):
Outside - 12.34.56.78
Inside - 172.16.1.1
Concentrator (SPOKE):
Outside - 87.65.43.21
Inside - 10.1.6.1
RV042 (SPOKE):
Outside - 150.150.150.150
Inside - 192.168.71.1
The Concentrator allows all traffic from my Pix 515e on subnet 172.16.3.x and vice versa. The RV042 allows all traffic from 172.16.3.x to talk to 192.168.71.x and vice versa. I need to route 192.168.71.5 on the RV042 network to 10.1.6.x on the Concentrator network through the Pix 515e and make it look like its coming from 172.16.3.71. So I need to NAT that traffic through the tunnel to another tunnel. Attached running config edited for privacy concerns. Any and all assistance is greatly appreciated.
Solved! Go to Solution.
03-09-2011 09:54 AM
On PIX you need a policy static statement,
access-list nat permit ip host 192.168.71.5 10.1.6.0 255.255.255.0
static (outside,outside) 172.16.3.71 192.168.71.5 access-list nat
And modify the crypto ACLs appropriately to include the natted address.
03-09-2011 09:54 AM
On PIX you need a policy static statement,
access-list nat permit ip host 192.168.71.5 10.1.6.0 255.255.255.0
static (outside,outside) 172.16.3.71 192.168.71.5 access-list nat
And modify the crypto ACLs appropriately to include the natted address.
03-09-2011 12:38 PM
Thanks for the reply! I added the lines as you said. Do I also need to NAT the traffic coming back from the Concentrator to the RV042? The RV042 only allows one remote subnet as part of the VPN configuration.
03-10-2011 09:05 AM
I did as you suggested but I get an error. It is denying pings from the 10.1.6.x network. I have an ACL already in place that allows outside traffic from 10.1.6.x to ping anything on 172.16.3.0 but it still is denying it.
What I added:
access-list nat permit ip host 192.168.71.5 object-group Conventrator-VPN
static (outside,outside) 172.16.3.71 access-list nat 0 0
Any other suggestions?
04-21-2011 01:57 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide