07-22-2009 10:59 PM
Dear All,
1. We plan to create a Site to site vpn tunnel between another company and our head office. they are having the same Lan network range as ours. both location are being using the same network. Now its not advise to change the IP in any location. is there any way i can configure the site-site vpn and establish the connectivity?
2. Also plan to configure the client to site VPN (Remote access Vpn) tunnel authentication through Certificates. we have an internal Windows server which is configured as certifictae server.we can download CA certificates from it. but this server is not been natted to public ip.can i use this server for remote access vpn ? for remote access vpn the certificate server should be available in the net or it can be in the internal network. do we need to install the certificate in PIX ?
Please help me to configure the same.
Thanks
07-23-2009 12:30 AM
1. Yes - you just perform policy based NAT on either side, then encrypt the NATT'd IP.
2. See the attached links:-
HTH>
07-23-2009 12:55 AM
1. Yes you can do this be employing NAT for the overlapping space, please have a look at:
http://supportwiki.cisco.com/ViewWiki/index.php/PIX/ASA_7.x_and_later:_Site_to_Site_(L2L)_IPsec_VPN_with_Policy_NAT_(Overlapping_Private_Networks)_Configuration_Example
(Copy the whole URL above, as the forum is breaking the link)
2. The certificates can be generated and installed on the endpoints without requiring that you publish you CA server over the internet (NAT). However if you want to do SCEP enrollment etc. over the internet you need to open it up. This all depends on your security policy, have a look at this link for configuration assitance:
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide