cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
486
Views
0
Helpful
2
Replies

PIX site to site, overlap, access to one host only

sitedr
Level 1
Level 1

Hello. A client has a PIX 525, version 6.2(2), currently providing access to a mainframe via Cisco VPN client, with about 100 remote users. They also have partner companies that access the mainframe via leased lines.

The leased lines are to be removed, and the client would like their partner companies to connect to the mainframe via site to site vpn.

The first partner company we are to connect has a PIX 515 ver 6.3(4), and 2 /16 networks, which overlap most of ours. We may run into this again with the other partners.

The only host we want anyone to access is the mainframe. Any suggestions are much appreciated.

DH

2 Replies 2

bogdahnt
Level 1
Level 1

Hello David,

one way is to allow per ACL just this one host and tell all partner companies that nobody can use this address and all of them have to implement a host route in their network to your mainframe address (I guess, this is not very practicable ;o)

The other way is to NAT the internal IP address of your mainframe on the client pix 525. If you have a not used official IP you could take this one. Otherwise you need to use another private IP but you have to check whether this one is in use by any partner companies or not.

Hope that help and brgds, Thomas.

Thomas,

Thank you very much for your quick reply. I really do like option one!!

I have a private IP outside of Partner's numbering scheme that I can NAT the mainframe to. I am concerned with building the site to site tunnels. Most of the VPN setups I have deployed were either remote access or site to site where we controlled the numbering on both sides.

Since Client has networks in Europe, US, and Asia that are overlapped by Partner's network numbering, do I need to employ bi-directional translation for the Partner or is there another way to provide access to the mainframe via VPN? Because Partner is numbered using two /16 networks, I really wish there was something like address-pool for site to site :)

Thomas, thank you once again.

David H.