Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
412
Views
0
Helpful
3
Replies

Reg. overlapping networks for S2S VPN

ankurs2008
Level 1
Level 1

‎05-06-2008 08:19 AM

Hi all

Iam facing an overlaping nw issue while establishing a S2S VPN tunnel .Remote end is Cisco PIX Firewall ; however that is an internal PIX Firewall (with public IP) . The remote perimeter fw is Checkpoint (next hop of PIX)

My end vpn gateway is VPN Concentrator but perimeter fw is Checkpoint fw.One of the interface of my end CP Firewall is VPN Concentrator . My end VPN Conc and CP FW are connected to L2 Switch which connects to Internet router .

There is an issue when i am trying to establish VPN TUNNEL between PIX (remote gateway) and VPN Concentrator (my end).The issue is that the remote end is having the subnet 10.34.226.0/24 and trying to access the subnet 192.168.1.0 at my end ;however 192.168.1.0 is present at their end also. Please let me know as to how can i configure the NATTING at my VPN Concentrator end to translate the addresses , if i want those ppl should come with different destn IP Address to access devices at my end .

The crypto acl in the VPN Conc (my end ) includes 192.168.70.12 (which is a free IP) I want that remote users with IP Range 10.34.226.0/24 should connect to this IP (192.168.70.12) when packet will hit the VPN Conc and should get translated to 192.168.1.31

Please help as this is urgent

Regards

Ankur

Labels:
0 Helpful
3 Replies 3

ankurs2008
Level 1
Level 1

‎05-06-2008 08:32 AM

Please find attached the snapshot also .The PIX Firewall drawing at the remote end needs to be carefuly seen

Preview file
50 KB
0 Helpful

cisco24x7
Level 6
Level 6
In response to ankurs2008

‎05-06-2008 11:04 AM

On the Pix side, their network is 10.34.226.0/24. They will be accessing 10.0.0.0/24

on your side that you will translate into 192.168.1.0/24 on your side. On your side,

you will NAT the source of 192.168.1.0/24 into 10.0.0.0/24 when going to destination

of 10.34.226.0/24.

Basically, no change on the Pix's side:

access-list nonat permit ip 10.34.226.0/24 10.0.0.0/24

access-list vpn permit ip 10.34.226.0/24 10.0.0.0/24

nat (inside) 0 access-list nonat

crypto map vpn 10 ipsec-isakmp

crypto map vpn 10 match address vpn

crypto map vpn 10 set trans 3des

crypto map vpn 10 set peer VPNC

crypto map vpn interface outside

On the concentrator, you setup NAT on concentrator for source 10.34.226.0/24 destination

10.0.0.0/24. You then translated the destination to 192.168.1.0/24 and keep the source

original. It can be done with a few click on the VPNc.

Easy right?

0 Helpful

ankurs2008
Level 1
Level 1
In response to cisco24x7

‎05-06-2008 12:48 PM

hi

u have understood my issue correctly but can u tell me how to configure this at VPN Concentrator ?

Regards

Ankur

0 Helpful
Customers Also Viewed These Support Documents