Remote VPN router behind internet access router

Discussion in 'Cisco' started by Markus Marquardt, Jun 14, 2007.

  1. Hello,

    maybe someone could give me a hint about this scenario:

    <local LAN>
    |
    |
    <PIX515e/7.2>
    |Public IP
    |
    |
    <Internet>
    |
    |
    |Public IP
    <Internet gw>
    |Private IP
    |
    |Private IP
    <VPN gateway>
    |Private IP
    |
    <remote LAN>

    I want to establish a VPN connection between our local PIX and the
    remote VPN gateway. The remote gateway is not directly connected to the
    internet. It's connected to <Internet gw> which forwards all packets and
    is doing 1:1 NAT between the public IP address and the private IP address.

    When trying to establish the VPN tunnel, on the PIX i get something like

    Group = <something>, IP = <Public IP internet GW>, Rejecting IPSec
    tunnel: no matching crypto map entry for remote proxy <Private IP VPN
    gateway>/255.255.255.255/0/0 local proxy <Public IP
    PIX>/255.255.255.255/0/0 on interface outside

    The reason are the different public/private addresses which are seen for
    the remote VPN gateway. Is there any way to get around this? NAT-T?
    Which address should be used for the crypto map: The public or private
    address of the remote VPN gw?

    With kind regards
    Markus
     
    Markus Marquardt, Jun 14, 2007
    #1
    1. Advertising

  2. Markus Marquardt

    Newbie72 Guest

    On Jun 14, 8:34 am, Markus Marquardt <> wrote:
    > Hello,
    >
    > maybe someone could give me a hint about this scenario:
    >
    > <local LAN>
    > |
    > |
    > <PIX515e/7.2>
    > |Public IP
    > |
    > |
    > <Internet>
    > |
    > |
    > |Public IP
    > <Internet gw>
    > |Private IP
    > |
    > |Private IP
    > <VPN gateway>
    > |Private IP
    > |
    > <remote LAN>
    >
    > I want to establish a VPN connection between our local PIX and the
    > remote VPN gateway. The remote gateway is not directly connected to the
    > internet. It's connected to <Internet gw> which forwards all packets and
    > is doing 1:1 NAT between the public IP address and the private IP address.
    >
    > When trying to establish the VPN tunnel, on the PIX i get something like
    >
    > Group = <something>, IP = <Public IP internet GW>, Rejecting IPSec
    > tunnel: no matching crypto map entry for remote proxy <Private IP VPN
    > gateway>/255.255.255.255/0/0 local proxy <Public IP
    > PIX>/255.255.255.255/0/0 on interface outside
    >
    > The reason are the different public/private addresses which are seen for
    > the remote VPN gateway. Is there any way to get around this? NAT-T?
    > Which address should be used for the crypto map: The public or private
    > address of the remote VPN gw?
    >
    > With kind regards
    > Markus


    The first question is What type of hardware are you using? 2nd
    question is what type of hardware are you connecting to?

    Check out the below link it should be able to answer most of your
    questions if you r using PIX 6.3
    http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sit2site.html

    here is a link if you are using Pix 7.x or ASA appliance
    http://www.cisco.com/en/US/products...s_configuration_example09186a00805a87f7.shtml
     
    Newbie72, Jun 14, 2007
    #2
    1. Advertising

  3. Newbie72 wrote:
    >> <PIX515e/7.2>

    >
    > The first question is What type of hardware are you using? 2nd


    See above...

    > question is what type of hardware are you connecting to?


    Remote internet gw: I don't know
    Remote VPN gw: Checkpoint-Something

    The problem is not to create an vpn connection at all, the problem is
    that the remote vpn gw is connected via a rfc1918 transfer network to
    the internet.

    Regards
    Markus
     
    Markus Marquardt, Jun 14, 2007
    #3
  4. Markus Marquardt

    maco

    Joined:
    Jun 13, 2007
    Messages:
    10
    Both ends should use nat-traversal

    You should use the Public IP of the VPN gateway (Checkpoint) if you want to reach it through Internet.
     
    maco, Jun 14, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Corbin O'Reilly
    Replies:
    2
    Views:
    3,228
    Corbin O'Reilly
    May 26, 2004
  2. Rohan
    Replies:
    1
    Views:
    1,415
    tweety
    Nov 29, 2006
  3. cisco
    Replies:
    3
    Views:
    392
    Martin Bilgrav
    Feb 21, 2007
  4. pasatealinux
    Replies:
    1
    Views:
    2,081
    pasatealinux
    Dec 17, 2007
  5. BF
    Replies:
    2
    Views:
    780
Loading...

Share This Page