Remote VPN router behind internet access router

Discussion in 'Cisco' started by Markus Marquardt, Jun 14, 2007.

  1. Hello,

    maybe someone could give me a hint about this scenario:

    <local LAN>
    |Public IP
    |Public IP
    <Internet gw>
    |Private IP
    |Private IP
    <VPN gateway>
    |Private IP
    <remote LAN>

    I want to establish a VPN connection between our local PIX and the
    remote VPN gateway. The remote gateway is not directly connected to the
    internet. It's connected to <Internet gw> which forwards all packets and
    is doing 1:1 NAT between the public IP address and the private IP address.

    When trying to establish the VPN tunnel, on the PIX i get something like

    Group = <something>, IP = <Public IP internet GW>, Rejecting IPSec
    tunnel: no matching crypto map entry for remote proxy <Private IP VPN
    gateway>/ local proxy <Public IP
    PIX>/ on interface outside

    The reason are the different public/private addresses which are seen for
    the remote VPN gateway. Is there any way to get around this? NAT-T?
    Which address should be used for the crypto map: The public or private
    address of the remote VPN gw?

    With kind regards
    Markus Marquardt, Jun 14, 2007
    1. Advertisements

  2. Markus Marquardt

    Newbie72 Guest

    The first question is What type of hardware are you using? 2nd
    question is what type of hardware are you connecting to?

    Check out the below link it should be able to answer most of your
    questions if you r using PIX 6.3

    here is a link if you are using Pix 7.x or ASA appliance
    Newbie72, Jun 14, 2007
    1. Advertisements

  3. See above...
    Remote internet gw: I don't know
    Remote VPN gw: Checkpoint-Something

    The problem is not to create an vpn connection at all, the problem is
    that the remote vpn gw is connected via a rfc1918 transfer network to
    the internet.

    Markus Marquardt, Jun 14, 2007
  4. Markus Marquardt


    Jun 13, 2007
    Likes Received:
    Both ends should use nat-traversal

    You should use the Public IP of the VPN gateway (Checkpoint) if you want to reach it through Internet.
    maco, Jun 14, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.