PIX to Checkpoint IPSEC connection with identical underlying subnets

Discussion in 'Cisco' started by Saucy Levine, Dec 8, 2003.

  1. Saucy Levine

    Saucy Levine Guest

    We are trying to use an IPSEC tunnel to have an outside
    company access one of our host systems, but our local subnets are
    identical. What is the best way to allow the underlying systems to
    communicate? Can we publish an external address through our PIX and
    NAT the address to a different subnet or is there another way to make
    the inside address appear to be an external address?
    I have read the example on connecting two routers with IPSEC
    and identical subnets. Does anyone have any experience applying the
    example to a PIX. Is this type of setup usual and recommended?
    The outside company doesn't allow for opening any ports, they
    funnel all traffic through a proxy and will only consider establishing
    an external IP address for IPSEC.

    Thank you,

    Stacey
     
    Saucy Levine, Dec 8, 2003
    #1
    1. Advertisements

  2. : We are trying to use an IPSEC tunnel to have an outside
    :company access one of our host systems, but our local subnets are
    :identical. What is the best way to allow the underlying systems to
    :communicate? Can we publish an external address through our PIX and
    :NAT the address to a different subnet or is there another way to make
    :the inside address appear to be an external address?

    NAT will be done for IPSec traffic unless you exempt it using
    static or nat 0 (usually using nat 0 access-list). There should
    not be any problem using "outside nat" to make them -appear- to be
    at a different IP address.


    As they will not be permitting you to make any new connections to them,
    I would suggest using something like

    nat (outside) 192.168.123.0 255.255.255.0
    global (inside) 10.168.123.1 netmask 255.255.255.0

    to make -their- 192.168.123/24 appear to your network as 10.168.123.1/24

    If connections were being permitted in both directions, then 'static'
    would be more appropriate.
     
    Walter Roberson, Dec 8, 2003
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.