Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   Remote VPN router behind internet access router (http://www.velocityreviews.com/forums/t514541-remote-vpn-router-behind-internet-access-router.html)

Markus Marquardt 06-14-2007 12:34 PM

Remote VPN router behind internet access router
 
Hello,

maybe someone could give me a hint about this scenario:

<local LAN>
|
|
<PIX515e/7.2>
|Public IP
|
|
<Internet>
|
|
|Public IP
<Internet gw>
|Private IP
|
|Private IP
<VPN gateway>
|Private IP
|
<remote LAN>

I want to establish a VPN connection between our local PIX and the
remote VPN gateway. The remote gateway is not directly connected to the
internet. It's connected to <Internet gw> which forwards all packets and
is doing 1:1 NAT between the public IP address and the private IP address.

When trying to establish the VPN tunnel, on the PIX i get something like

Group = <something>, IP = <Public IP internet GW>, Rejecting IPSec
tunnel: no matching crypto map entry for remote proxy <Private IP VPN
gateway>/255.255.255.255/0/0 local proxy <Public IP
PIX>/255.255.255.255/0/0 on interface outside

The reason are the different public/private addresses which are seen for
the remote VPN gateway. Is there any way to get around this? NAT-T?
Which address should be used for the crypto map: The public or private
address of the remote VPN gw?

With kind regards
Markus

Newbie72 06-14-2007 01:57 PM

Re: Remote VPN router behind internet access router
 
On Jun 14, 8:34 am, Markus Marquardt <adrock0...@arcor.de> wrote:
> Hello,
>
> maybe someone could give me a hint about this scenario:
>
> <local LAN>
> |
> |
> <PIX515e/7.2>
> |Public IP
> |
> |
> <Internet>
> |
> |
> |Public IP
> <Internet gw>
> |Private IP
> |
> |Private IP
> <VPN gateway>
> |Private IP
> |
> <remote LAN>
>
> I want to establish a VPN connection between our local PIX and the
> remote VPN gateway. The remote gateway is not directly connected to the
> internet. It's connected to <Internet gw> which forwards all packets and
> is doing 1:1 NAT between the public IP address and the private IP address.
>
> When trying to establish the VPN tunnel, on the PIX i get something like
>
> Group = <something>, IP = <Public IP internet GW>, Rejecting IPSec
> tunnel: no matching crypto map entry for remote proxy <Private IP VPN
> gateway>/255.255.255.255/0/0 local proxy <Public IP
> PIX>/255.255.255.255/0/0 on interface outside
>
> The reason are the different public/private addresses which are seen for
> the remote VPN gateway. Is there any way to get around this? NAT-T?
> Which address should be used for the crypto map: The public or private
> address of the remote VPN gw?
>
> With kind regards
> Markus


The first question is What type of hardware are you using? 2nd
question is what type of hardware are you connecting to?

Check out the below link it should be able to answer most of your
questions if you r using PIX 6.3
http://www.cisco.com/en/US/docs/secu.../sit2site.html

here is a link if you are using Pix 7.x or ASA appliance
http://www.cisco.com/en/US/products/...805a87f7.shtml



Markus Marquardt 06-14-2007 02:40 PM

Re: Remote VPN router behind internet access router
 
Newbie72 wrote:
>> <PIX515e/7.2>

>
> The first question is What type of hardware are you using? 2nd


See above...

> question is what type of hardware are you connecting to?


Remote internet gw: I don't know
Remote VPN gw: Checkpoint-Something

The problem is not to create an vpn connection at all, the problem is
that the remote vpn gw is connected via a rfc1918 transfer network to
the internet.

Regards
Markus

maco 06-14-2007 07:49 PM

Both ends should use nat-traversal

You should use the Public IP of the VPN gateway (Checkpoint) if you want to reach it through Internet.


All times are GMT. The time now is 09:37 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.