Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
454
Views
0
Helpful
3
Replies

VPN Help required

OHITS-OPS
Level 1
Level 1

‎09-13-2006 02:24 AM - edited ‎02-21-2020 02:37 PM

I have a situation where I need to setup a VPN L2L tunnel. The peer is using Checkpoint NG and I am using a PIX 515 (Code: 6.2(2))

Now my problem is the following:

The peer (Checkpoint end) needs us to 'hide' our LAN address (our LAN address is on a 10.x.x.x subnet) so that it can communicate with their internal LAN. The Checkpoint side will only allow us to communicate with them if we 'hide' our LAN side IP address.

Now my question is:

How can I setup the VPN tunnel so that when traffic goes out from my LAN to the Checkpoint it gets NAT'ed to a internet routable IP (which I have).

I hope the above explanation is clear but if you require further information then please let me know.

Any help/advice on this will be very much appreciated, I would really be grateful if someone can post configuration examples

Many thanks.

Labels:
0 Helpful
3 Replies 3

sachinraja
Level 9
Level 9

‎09-13-2006 07:35 AM

YOu can do this..

you need to first nat the IP on the PIX with an IP address .. infact PAT it... config will be something like one below:

nat (inside) 1 192.168.1.0 255.255.255.0

global (outside) 1 203.2.2.2

when configuring IPSEC crypto ACLs, you need to give the source IP as 203.2.2.2 for triggering the interesting traffic.. this is possible, because NAT happens before encryption... similarly, on the other end, you need to give the destination IP subnet as 203.2.2.2 ...

hope this solves your query... rate replies if found useful...

Raj

0 Helpful

OHITS-OPS
Level 1
Level 1
In response to sachinraja

‎09-14-2006 07:44 AM

Hi Raj - thanks for reply.

I'm sorry but I don't get it! I already have on my PIX:

nat (inside) 1 0 0

global (outside) 1 interface

I already have site-to-site VPN to other customers but this one customer requires that I hide our internal LAN IP when connecting to their network and to use an internet routable address, i.e. I must NAT!

How do I achive this VPN??

I'm slightly stuck on this so any help would be very much appreciated. If you could post configuration examples then this would help.

Many thanks in advance.

0 Helpful

huynhkhay
Level 1
Level 1
In response to OHITS-OPS

‎09-15-2006 12:06 AM

Hi,

As sachinraja said, you have to NAT your local network to an internet routable address when your local network have to go through this particular VPN tunnel.

You said you already have site-to-site VPN to other customers.

Look in your configuration, you should have these lines:

access-list nat_0_outbound permit ip 10.X.X.0 255.255.X.X 192.100.24.0 255.255.248.0

where 10.X.X.0 / 255.255.X.X is your local network and 192.100.24.0/21 the remote network.

The VPN tunnel with the customer who wants you to hide your IP addresses will look like the same:

access-list NET1 permit ip 10.X.X.X 255.255.X.0 192.30.12.0 255.255.255.0

where 10.X.X.0 / 255.255.X.X is your local network and 192.30.12.0/24 the remote network of this customer.

And you have to add the NAT rules, as Raj indicates:

nat (inside) 11 access-list NET1

global (outside) 11 203.2.2.2 255.255.255.255

where 203.2.2.2 is the internet routable address the customer gave you.

Thanks you for giving us update on your case and if it works.

0 Helpful
Customers Also Viewed These Support Documents