Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
488
Views
0
Helpful
2
Replies

Using PAT on PIX to PIX Ipsec tunnel

schwermie
Level 1
Level 1

‎05-06-2004 12:07 PM - edited ‎02-21-2020 01:08 PM

Hello all,

At home i have a PIX 501. From there i can start a VPN to our office. The PIX at the office has different interfaces. On one of these interfaces we should use PAT. It works from other connected subnets. But i can't get PAT working for my VPN session.

How can i achieve this?

All help is welcome.

Kind regards,

Marco Hermans

Labels:
0 Helpful
2 Replies 2

micah
Level 1
Level 1

‎05-06-2004 03:09 PM

Marco,

There are several possibilities why this is not working for you. Are you currently using split tunneling? Do you have a nat statement that matches the pool of addresses used for the vpdn session? Is there a global statement that matches that nat statement? It would be helpful if you posted your configs.

0 Helpful

schwermie
Level 1
Level 1
In response to micah

‎05-07-2004 12:49 AM

Hi Micah,

I will first explain our situation more.

We have a PIX 525 at our office. A few engineers have a PIX 501 at there home. From there we can set up a VPN to our office. This all works fine.

At our office we have a special subnet where we should use PAT. From other net's at our office PAT works fine. We want to use PAT also on the VPN traffic from the PIX501's at home. I can't get this working.

I included a peace of our config.

Kind regards,

Marco Hermans

---CUT---

access-list INTERNET permit icmp any any echo-reply

access-list INTERNET deny ip any any

access-list ToHome permit ip 192.168.0.0 255.255.0.0

access-list ToHome permit ip 172.16.100.0 255.255.255.0

access-list CM-MNGT permit icmp any any

access-list CM-MNGT permit ip 192.168.10.0 255.255.255.0 any

access-list PAT_INTERNET permit ip any

access-list PAT_CM-MNGT permit ip 192.168.10.0 255.255.255.0 any

icmp permit any echo CM-MNGT

icmp permit any echo-reply CM-MNGT

icmp permit any echo INTERNET

icmp permit any echo-reply INTERNET

ip address CM-MNGT 192.168.10.30 255.255.255.0

ip address INTERNET

global (CM-MNGT) 1 interface

global (INTERNET) 1 interface

nat (INTERNET) 1 access-list PAT_INTERNET 0 0

access-group inside in interface inside

access-group CM-MNGT in interface CM-MNGT

access-group INTERNET in interface INTERNET

access-group EMOS-TCU in interface EMOS-TCU

route INTERNET 0.0.0.0 0.0.0.0 Gateway 1

sysopt connection permit-ipsec

crypto ipsec transform-set 3desSha esp-3des esp-sha-hmac

crypto ipsec transform-set AESSha esp-aes esp-sha-hmac

crypto ipsec transform-set desSha esp-des esp-sha-hmac

crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac

crypto map VPN 11 ipsec-isakmp

crypto map VPN 11 match address ToHome

crypto map VPN 11 set pfs group2

crypto map VPN 11 set peer xxx.xxx.xxx.xxx

crypto map VPN 11 set transform-set AESSha

crypto map VPN 12 ipsec-isakmp

crypto map VPN interface INTERNET

isakmp enable INTERNET

isakmp key ******** address xxx.xxx.xxx netmask 255.255.255.255

isakmp key ******** address xxx.xxx.xxx netmask 255.255.255.255

isakmp key ******** address xxx.xxx.xxx netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 28800

isakmp policy 11 authentication pre-share

isakmp policy 11 encryption des

isakmp policy 11 hash md5

isakmp policy 11 group 1

isakmp policy 11 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

---CUT---

0 Helpful
Customers Also Viewed These Support Documents