Site to Site VPN between 501's with Overlapping Private subnets

Discussion in 'Cisco' started by Evolution, Dec 2, 2005.

  1. Evolution

    Evolution Guest

    Can anyone give the syntax on how to perform this, or put a link to an
    example?

    I have two Pix 501s that need a site to site VPN. Both have unique
    public addresses, however on the inside, they both have
    192.168.168.0/24 configured.

    Cisco has examples of doing this, but I couldn't find an example for
    overlapping subnets involving pixes.

    Any help would be greatly appreciated. Thanks!!!

    -rws

    Reply
     
    Evolution, Dec 2, 2005
    #1
    1. Advertising

  2. Evolution

    Guest

    Well, I do not have an exact example, but other than the VPN commands,
    basically what you need to do is double natting. here's what it would
    look like.. Basically, everyone is NATted and from site A, you appear
    to be 192.168.1.0 and B, 192.168.2.0.

    On PIX A : you may reach site B with 192.168.2.0 addresses

    hostname pixa
    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encrypt 3des
    ! put PIX B address here...
    crypto isakmp key cisco1234 address 1.2.3.4 (PIX B ADDRESS)
    crypto ipsec transform-set strong esp-3des esp-sha-hmac

    ! Policy NAT access-list - specify conditions under which to NAT for
    VPN
    ! and match interesting VPN traffic
    access-list vpnnat permit ip 192.168.168.0 255.255.255.0 192.168.2.0
    255.255.255.0
    ! perhaps you may want to use :
    ! static (inside,outside) 192.168.1.0 netmask 255.255.255.0 access-list
    vpnnat
    ! or something similar.. not sure... instead of nat 1 and global1..
    ! in both in site A and B.
    nat 1 (inside) access-list vpnnat
    global 1 (outside) 192.168.1.0 192.168.1.255
    ! nat everyone else going to Internet
    nat (inside) 1 0 0
    ! your public IP address or whatever PAT IP add you want
    global (outside) 1 a.b.c.d

    crypto map mymap 20 ipsec-isakmp
    crypto map mymap 20 match address vpnnat
    crypto map mymap 20 set transform-set strong
    ! define remote peer
    crypto map mymap 20 set peer A.b.C.D
    crypto map mymap interface outside
    sysopt connection permit-ipsec


    On PIX B : you may reach site A with 192.168.1.0 addresses

    hostname pixb
    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encrypt 3des
    ! put PIX A address here...
    crypto isakmp key cisco1234 address 1.2.3.4 (PIX A ADDRESS)
    crypto ipsec transform-set strong esp-3des esp-sha-hmac

    ! Policy NAT access-list - specify conditions under which to NAT for
    VPN
    access-list vpnnat permit ip 192.168.168.0 255.255.255.0 192.168.1.0
    255.255.255.0
    nat 1 (inside) access-list vpnnat
    global 1 (outside) 192.168.2.0 192.168.2.255
    ! nat everyone else going to Internet
    nat (inside) 1 0 0
    ! your public IP address or whatever PAT IP add you want
    global (outside) 1 a.b.c.d

    crypto map mymap 20 ipsec-isakmp
    crypto map mymap 20 match address vpnnat
    crypto map mymap 20 set transform-set strong
    ! define remote peer
    crypto map mymap 20 set peer A.b.C.D
    crypto map mymap interface outside
    sysopt connection permit-ipsec
     
    , Dec 3, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Oleg Tipisov
    Replies:
    0
    Views:
    819
    Oleg Tipisov
    Aug 10, 2004
  2. Oleg Tipisov

    IOS: IPSec between overlapping subnets

    Oleg Tipisov, Aug 10, 2004, in forum: Cisco
    Replies:
    1
    Views:
    3,607
  3. jamdatadude
    Replies:
    3
    Views:
    615
  4. Jeff
    Replies:
    5
    Views:
    1,056
  5. Mike Rahl
    Replies:
    1
    Views:
    1,631
    response3
    Jan 11, 2007
Loading...

Share This Page