Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
618
Views
0
Helpful
4
Replies

Simple VPN question

ogieogilthorpe
Level 1
Level 1

‎08-30-2006 07:22 AM

I am setting up a site to site VPN between two identical PIXs. My only worry is with the Nat statements in the example. In the current config all that there is listed for Nat is "nat (inside) 0 0.0.0.0 0.0.0.0" and there are a few static routes setup to route public IPs to private.

Should I leave out the Nat statements in the sample config or alter my current Nat settings?

Thanks

Labels:
0 Helpful
4 Replies 4

jwalker
Level 3
Level 3

‎08-30-2006 09:13 AM

Please post your config and I will help..

0 Helpful

ogieogilthorpe
Level 1
Level 1
In response to jwalker

‎08-30-2006 10:13 AM

here is the example of the code that Cisco said to input to config site-to-site vpn. Both of my firewall confs are almost identical.

hostname NewYork

isakmp enable outside

isakmp policy 9 authentication pre-share

isakmp policy 9 encrypt 3des

crypto isakmp key cisco1234 address 209.165.200.229

crypto ipsec transform-set strong esp-3des esp-sha-hmac

access-list 90 permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.0.0.0

nat 0 access-list 90

nat (inside) 1 0 0

global (outside) 1 209.165.201.9-209.165.201.30

global (outside) 1 209.165.201.8

crypto map toSanJose 20 ipsec-isakmp

crypto map toSanJose 20 match address 90

crypto map toSanJose 20 set transform-set strong

crypto map toSanJose 20 set peer 209.165.200.229

crypto map toSanJose interface outside

sysopt connection permit-ipsec

What worries me is will the NAT statements in the above code interfere with my current conf. Here is what i have for NAT and the static routes i have setup

global (outside) 1 interface

nat (inside) 0 0.0.0.0 0.0.0.0

static (inside,outside) xxx.xxx.xxx.xxx 192.168.1.6 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.1.9 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.1.7 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.1.8 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.1.100 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.1.101 netmask 255.255.255.255

0 Helpful

jbrunner007
Level 1
Level 1
In response to ogieogilthorpe

‎08-30-2006 11:24 AM

no nat 1 should go with global 1.

nat 0 should be left to keep certain hosts from doing nat... nat 0 should reference an acl

see http://www.cisco.com/warp/public/110/38.html

tschuss,

Joe

0 Helpful

jwalker
Level 3
Level 3
In response to jbrunner007

‎08-30-2006 01:58 PM

Here is what you need to do to fix the nat for the VPN and Internet access...

nat (inside) 0 access-list 90

nat (inside) 1 0 0

global (outside) 1 209.165.201.9-209.165.201.30

global (outside) 1 209.165.201.8

0 Helpful
Customers Also Viewed These Support Documents