Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
398
Views
0
Helpful
3
Replies

PIX to PIX and vpn client

kidem
Level 1
Level 1

‎06-01-2004 06:20 PM - edited ‎02-21-2020 01:11 PM

OK...here is what i have is three pix 501's with a PIX to PIX vpn, now we need to setup one of them with vpn access through the vpn client, But we do not use nat do to RF devices, and i think you have to have nat in order to do this any thoughts?

Labels:
0 Helpful
3 Replies 3

ehirsel
Level 6
Level 6

‎06-02-2004 03:29 AM

No, you do not need to do NAT in order to accomadate any type of vpn connection, whether it is to another pix or a remote-access vpn client device. In fact, in most cases using remote-access vpn topologies, using nat would cause connectivity issues.

Look at this link to get an idea of pix connectivity to a vpn client:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800948b8.shtml

0 Helpful

kidem
Level 1
Level 1
In response to ehirsel

‎06-03-2004 05:28 AM

ok...im lost here

I have to get this done.

here is what i have

create ACL for VPN access...but im going to be doing remote from public IP's ,here is what an example showed with this example will it work from a outside public IP...which the access-list specifies NAT IP,which is throing me off...!!!

ip local pool clientpool 192.168.11.26-192.168.11.200

access-list 101 permit IP 192.168.1.0/24 192.168.11.0/24

nat (inside) 0 access-list 101

sysopt connection permit-ipsec

conduit permit icmp any any

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface ouside

isakmp enable outside

isakmp indentify address

isakmp nat-transversal 20

isakmp policy 30 authentication pre-share

isakmp policy 30 encyption 3des

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

vpngroup rcremote address-pool clientpool

vpngroup rcremote dns-server x.x.x.x

vpngroup rcremote wins-sever x.x.x.x

vpngroup rcremote defualt-domain domain.local

vpngroup rcremote split-tunnel 101

vpngroup rcremote idle-time 28800

vpngroup rcremote password ********

ALSO NO NAT CAN BE USED...becuase of certain equipment...another than throwing me off

If this will or will not could someone point me to what i would have to change,thanks

0 Helpful

ehirsel
Level 6
Level 6
In response to kidem

‎06-04-2004 07:42 AM

This example will work.

The nat (inside) 0 access-list statement says to the pix code: DO NOT perform nat when going from the 192.168.1/24 network (inside devices) to the vpn users (the 192.168.11/4 network). This is what you want - as the internal dns servers only know about private addresses of the servers/hosts on the inside network (192.168.1/24).

It will work with public addresses too. However if the vpn clients are remote access ones, normally you give them a new address, separate from the exisiting public one, to be able to be routed from the pix - this is helpful if you have more than one entry/exit point into your network, as you do not want to route back to the vpn user thru another router.

However for site-to-site vpns, or in cases where your users will not get an internal address, then you won't need this statement:

vpngroup rcremote address-pool clientpool

Replace 192.168.11.0/24 with the public ip range in access-list 101

Let me know if you have any more questions.

0 Helpful
Customers Also Viewed These Support Documents