PIX-to-PIX VPN Question

abruso · ‎03-30-2005

We have a [Router-PIX-Campus Network] configuration right now at our one and only location. The PIX has a public IP address given to us by our ISP.

We are setting up another site and with the exact same [Router-PIX-Campus Network] design, and would like to make a site-to-site vpn through the PIX's. The only difference is that this new site, we have to use NAT on the perimeter router because the ISP over there is only giving us one subnet instead of two (like in our original site). So, the outside interface on the router is our only public IP address, and all the boxes and the outside interface of the PIX are private IP address.

So, how do I setup a site-to-site VPN between pix's when I don't have a public IP address on the outside interface on one of the PIX's?

I've never done a site-to-site VPN before, and when reading through the whitepapers, you have to know the IP address of the peer PIX (outside interface) when setting up the IKE key pair thing.

Any help would be appreciated. Thanks.

HEATH FREEL · ‎03-31-2005

You would have to ensure that there is a static translation between a public IP and the PIX's Private IP on it's outside interface. Then the peer IP address to the other PIX becomes the public IP you assigned for translation in the router.

If you are using ACL's on the router then you have to ensure that ESP (Protocol 50) and UDP 500 are open for that IP/Translation.

abruso · ‎03-31-2005

Okay, so how would the NAT statement look for that? I already have the public IP address on the outside router interface doing NAT for another box that is behind the router (DNS forwarding box).

So for example, my one and only NAT statement for this router is:

ip nat inside source static tcp 53 53 extendable

How do add an additional NAT statement that allows the translation that you mentioned to work?