Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1499
Views
0
Helpful
4
Replies

PIX-2-PIX VPN with overlapping NAT address spaces

pax_2111
Level 1
Level 1

‎12-24-2002 11:23 AM - edited ‎02-21-2020 12:15 PM

Hi guys,

Hope someone will be able to help me with this.

I have to sites doing NAT behind PIX firewalls. Both of them use 10.1.1.0/24

for internal address space.

I want to creat a VPN tunnel between these two.

Obviously I have to NAT them again so that 10.1.1.0/24 is seen as different on either side.

I read the example on, but it wasn't of much help: http://www.cisco.com/en/US/partner/tech/tk648/tk367/technologies_configuration_example09186a00800949f1.shtml

I have a couple of questions:

- do I need public IP addresses to NAT or another private address will do fine?

- does doing a reverse NAT on PIX disrupt communication with other VPN enabled newtworks?

thanx for any help

Labels:
0 Helpful
4 Replies 4

ajagadee
Cisco Employee
Cisco Employee

‎12-24-2002 11:44 AM

Hi,

You can use a different private ip address space for the NATing and then Include the NATed ip address in your IPSec lan to lan tunnel.

Regards,

Arul

0 Helpful

pax_2111
Level 1
Level 1
In response to ajagadee

‎12-26-2002 11:16 PM

Hi,

I configured NAT on one of the PIX, brought up the VPN, but the ping is not successful.

The overlapping networks are within the range of 10.1.0.0 so I did:

static (outside, inside) 10.160.196.128 10.1.0.0 netmask 255.255.255.224 0 0

IPSec interesting traffic is from 10.1.0.0----->10.160.0.0

so the access lists should be:

access-list nonat permit ip 10.160.196.128 255.255.255.224 10.160.0.0 255.255.0.0

access-list remotelan permit ip 10.160.196.128 255.255.255.224 10.160.0.0 255.255.0.0

but whenever I use these access-lists nothing is being encrypted by IPsec.

If I change the access-lists to :

access-list nonat permit ip 10.1.1.0 255.255.255.0 10.160.0.0 255.255.0.0

access-list remotelan permit ip 10.1.1.0 255.255.255.0 10.160.0.0 255.255.0.0

traffice is being encrypted but the ping is not successful.

I am missing something but am not sure what.

- Is it necessary to have NAT on both PIXs?

- How I have to tell the firewall that any packet sourced from 10.1.0.0 should be included in IPsec?

Can someone help me with this.

0 Helpful

jfrahim
Level 5
Level 5

‎12-24-2002 11:44 AM

Hi ther,

You might be looking for a document that looks similar to:

http://www.cisco.com/warp/customer/707/vpn_pix_private.html

Hope that helps

Jazib

0 Helpful

Jignesh Desai
Level 1
Level 1
In response to jfrahim

‎07-28-2011 08:12 PM

I found this link: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml

My question is, will it do a one to one mapping?  For example, will the translated ip 20.0.0.1 map to the real ip 10.0.0.1?

0 Helpful
Customers Also Viewed These Support Documents