Re: Router Nat + Pix and Lan-to-Lan Vpn

dario.vernelli · ‎02-01-2006

Hi averybody,

I have this problem:

my remote office have an ADSL line with a fixed public IP address.

They are using an ADSL Router (DLink) that perform NAT between the public address and the internal LAN (192.168.x.x).

I need to put a Pix FW between router and lan to perform a VPN with central office.

How can I configure the pix to perform this?!?!?

The VPN can be performed behind the Router NAT ?!?!

Do you have some documentation about this problem?!?!

Thanks a lot

Patrick Laidlaw · ‎02-03-2006

Dario,

I would just replace the DLink with the pix. At this point there is a lot to do if you have a brand new pix it should come with PDM installed probably the easiest way for you to configure, run through the setup wizard and the vpn wizard and it should get you most of the way there.

Install and upgrade guides:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_installation_guides_list.html

Pix Documentation:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/

If you have problems post the issues your haveing and the config, CCO forum users will try to help from there.

Patrick

jackko · ‎02-05-2006

there are 2 options.

1. configure the dlink to run in bridging-mode. i.e. the dlink handles the adsl signal and nothing else. then configure the public ip on the pix outside interface, with pppoe if required. with this setup, you can pretty much ignore the dlink for any changes in the future, as the pix will handle nat/pat, public ip, firewalling, and vpn.

2. configure the dlink to forward specific port for vpn. the protocol/port need to be forwarded are udp 500 and udp 4500. i did set this up with cisco router and pix, not with dlink router and pix. this setup is a bit troublesome compare to the first option. the reason being you need to play with both everytime you want to change something, and very likely it requires double nat/pat. i.e. configure nat/pat on pix, and on the dlink.