05-24-2011 07:35 AM - edited 02-21-2020 05:22 PM
Hello All,
I have to create an IPSEC tunnel to two different networks providers that have the same Internal Network.
This is my setup
ServerA ----- PIX(6.3)----------Router1---------------Vpn tunnel--------- Remote RouterA (i have no control) LAN 192.168.1.x /24 (already working)
|
|--------------Router2---------------VPN tunnel---------Remote Router B (i have no control) LAN 192.168.1.x /24 (new Tunnel, DUPLICATE)
Server A= ip 10.16.2.10, gateway 10.16.2.1
Server A= Static NAT 10.16.2.10 10.16.5.10 (dmz interface)
Pix= Inside interface 10.16.2.1, pix dmz 10.16.5.1
Dmz interface has access to the internet, i have 2 separate routers with different ISP, both working.
Router1= 10.16.5.60
Router2- 10.16.5.70
~~ PROBLEM: I can not route to two different networks with the same ip address. The pix already has a static default route to the 192.168.1.x/24 network. I have 2 separate routers, with 2 different ISP's.
Is there a way for me to NAT, or change the new network (192.168.1.x) to a different subnet internally on my Cisco Routers?
Thank you,
Randall
PS= i was looking at this article but it doesn't seem to apply:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml
Solved! Go to Solution.
05-24-2011 02:48 PM
This should work.
interface f0/0
ip nat inside
interface f0/1
ip nat outside
ip nat inside source static network 192.168.1.0 22.22.22.0 /24
The on PIX, point 22.22.22.0/24 to router2
Now all the application/server behind PIX will need to send traffic to 22.22.22.x if it wants to talk to 192.168.1.x behind router B
05-24-2011 10:10 AM
If your VPN is terminated on Router2, you should be able to NAT 192.168.1.x to something else on router 2, then on PIX, you just need to add a route to point to router 2 for the NAT-ed IP. If you can provide router2 configuration, we can give you a detail suggestion.
05-24-2011 01:02 PM
Yudong Wu,
Thank you for your time. Yes, my tunnel terminates on the cisco Router2. I can't figure out how to perform the nat on the 192.168.1.x network.
I will point the route on the pix to the new network that we specify. Please feel free to suggest your ideal configuration.
I have a standard VPN on the Cisco Router, nothing fancy, just the default.
version 12.4
hostname RandallRouter
!
boot system flash c1841-advsecurityk9-mz.124-15.T7.bin
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
!
crypto isakmp key 123456 address 2.2.2.2
crypto isakmp keepalive 15 periodic
!
crypto ipsec transform-set IpsecVPN esp-3des esp-md5-hmac
!
crypto map 3desmap 23 ipsec-isakmp
set peer 2.2.2.2
set transform-set IpsecVPN
match address IpsecVPN
!
interface FastEthernet0/0
description OUTSIDE
ip address dhcp client-id FastEthernet0/0
crypto map 3desmap
!
interface FastEthernet0/1
ip address 10.16.5.70 255.255.255.0
ip route 0.0.0.0 0.0.0.0 3.3.3.3
ip access-list extended IpsecVPN
permit ip 10.16.5.0 0.0.0.255 host 192.168.1.29
Thank you for your help! :-)
05-24-2011 02:48 PM
This should work.
interface f0/0
ip nat inside
interface f0/1
ip nat outside
ip nat inside source static network 192.168.1.0 22.22.22.0 /24
The on PIX, point 22.22.22.0/24 to router2
Now all the application/server behind PIX will need to send traffic to 22.22.22.x if it wants to talk to 192.168.1.x behind router B
05-24-2011 05:53 PM
Very interesting, we apply the "inside" NAT for a Remote network. Looks easy once you know how to do it. :-)
---- Quick question, the crypto ACL should be specified with the 192.168.1x network or with the 22.22.22.x network?
Once again, thanks!
05-24-2011 09:42 PM
Crypto ACL should still use "192.168.1.x".
05-24-2011 10:29 PM
I really appreciate your help, I rated you with the Highest possible rating. Have a good one.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide