PIX to Checkpoint IPSEC connection with identical underlying subnets

Discussion in 'Cisco' started by Saucy Levine, Dec 8, 2003.

  1. Saucy Levine

    Saucy Levine Guest

    We are trying to use an IPSEC tunnel to have an outside
    company access one of our host systems, but our local subnets are
    identical. What is the best way to allow the underlying systems to
    communicate? Can we publish an external address through our PIX and
    NAT the address to a different subnet or is there another way to make
    the inside address appear to be an external address?
    I have read the example on connecting two routers with IPSEC
    and identical subnets. Does anyone have any experience applying the
    example to a PIX. Is this type of setup usual and recommended?
    The outside company doesn't allow for opening any ports, they
    funnel all traffic through a proxy and will only consider establishing
    an external IP address for IPSEC.

    Thank you,

    Stacey
    Saucy Levine, Dec 8, 2003
    #1
    1. Advertising

  2. In article <>,
    Saucy Levine <> wrote:
    : We are trying to use an IPSEC tunnel to have an outside
    :company access one of our host systems, but our local subnets are
    :identical. What is the best way to allow the underlying systems to
    :communicate? Can we publish an external address through our PIX and
    :NAT the address to a different subnet or is there another way to make
    :the inside address appear to be an external address?

    NAT will be done for IPSec traffic unless you exempt it using
    static or nat 0 (usually using nat 0 access-list). There should
    not be any problem using "outside nat" to make them -appear- to be
    at a different IP address.


    As they will not be permitting you to make any new connections to them,
    I would suggest using something like

    nat (outside) 192.168.123.0 255.255.255.0
    global (inside) 10.168.123.1 netmask 255.255.255.0

    to make -their- 192.168.123/24 appear to your network as 10.168.123.1/24

    If connections were being permitted in both directions, then 'static'
    would be more appropriate.
    --
    Any sufficiently advanced bug is indistinguishable from a feature.
    -- Rich Kulawiec
    Walter Roberson, Dec 8, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. qazaka
    Replies:
    0
    Views:
    677
    qazaka
    Oct 9, 2003
  2. Frank Fegert

    ACS SE underlying OS?

    Frank Fegert, Jul 25, 2004, in forum: Cisco
    Replies:
    0
    Views:
    724
    Frank Fegert
    Jul 25, 2004
  3. Oleg Tipisov
    Replies:
    0
    Views:
    763
    Oleg Tipisov
    Aug 10, 2004
  4. Replies:
    4
    Views:
    1,398
    Trendkill
    Aug 29, 2008
  5. PeterN

    Re: Identical Pix

    PeterN, Aug 14, 2012, in forum: Digital Photography
    Replies:
    3
    Views:
    317
    Martin Brown
    Aug 15, 2012
Loading...

Share This Page