IPSEC VPN with PAT for the interesting traffic

welcomeccie · ‎10-23-2007

R1--PIX1 -----Ineternet----PIX2-----R2

Lo0R1-->1.1.1.1

PIX1(inside) -->10.1.1.10

PIX1(Outside) -->219.x.x.55

Lo0R2 -->2.2.2.2

PIX2(inside) -->20.1.1.10

PIX2(Outside) -->139.x.x.65

I need to configure IPSEC VPN between PIX1 ,PIX2 and the interesting traffic is between LO0R1,LO0R2 .

The problem is that the PIX2 allows the 219.25.4.55 only So i don't know how can i confgure that ?

Do i need to PAT the lo0R1 to 219.x.x.55 ? Do i need Nat-Traversal?

PIX1

====

interface Ethernet0

nameif outside

security-level 0

ip address 10.1.1.10 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 219.x.x.55 255.255.255.0

!

access-list encrypt extended permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

access-list nonat extended permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

nat (inside) 0 access-list nonat

-------------------------

static (inside,outside) 1.1.1.1 219.25.4.55 netmask 255.255.255.255

-------------------------

crypto ipsec transform-set tset esp-3des esp-md5-hmac

crypto map myvpn 10 match address encrypt

crypto map myvpn 10 set peer 139.25.14.65

crypto map myvpn 10 set transform-set tset

crypto map myvpn interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp nat-traversal 20

tunnel-group 139.25.14.65 type ipsec-l2l

tunnel-group 139.25.14.65 ipsec-attributes

pre-shared-key *

krishnakomiti · ‎10-23-2007

Hi,

Please configure the below steps for VPN:

PIX---1

........................................

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map myvpn 20 ipsec-isakmp

crypto map myvpn 20 match address encrypt

crypto map myvpn 20 set peer 139.25.14.65

crypto map myvpn 20 set transform-set test

crypto map myvpn interface outside

isakmp enable outside

isakmp key ******** address 139.25.14.65 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

access-list encrypt extended permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

access-list nonat extended permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

nat (inside) 0 access-list nonat

Thanks ,

Krishna.

welcomeccie · ‎10-23-2007

thanks Krishna for your reply but PIX2 permit only 219.25.4.55 so i should nat the interesting traffic to that ip and i can't use nat 0

sorghum_gao · ‎10-25-2007

You can use easy vpn client mode to solve the problem.

acomiskey · ‎10-25-2007

welcomeccie,

Take a look here.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbe3706

You need to add the pat address to the interesting traffic.

access-list encrypt extended permit ip host 219.25.4.55 2.2.2.0 255.255.255.0