Site to Site VPN between 501's with Overlapping Private subnets

Discussion in 'Cisco' started by Evolution, Dec 2, 2005.

  1. Evolution

    Evolution Guest

    Can anyone give the syntax on how to perform this, or put a link to an
    example?

    I have two Pix 501s that need a site to site VPN. Both have unique
    public addresses, however on the inside, they both have
    192.168.168.0/24 configured.

    Cisco has examples of doing this, but I couldn't find an example for
    overlapping subnets involving pixes.

    Any help would be greatly appreciated. Thanks!!!

    -rws

    Reply
     
    Evolution, Dec 2, 2005
    #1
    1. Advertisements

  2. Well, I do not have an exact example, but other than the VPN commands,
    basically what you need to do is double natting. here's what it would
    look like.. Basically, everyone is NATted and from site A, you appear
    to be 192.168.1.0 and B, 192.168.2.0.

    On PIX A : you may reach site B with 192.168.2.0 addresses

    hostname pixa
    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encrypt 3des
    ! put PIX B address here...
    crypto isakmp key cisco1234 address 1.2.3.4 (PIX B ADDRESS)
    crypto ipsec transform-set strong esp-3des esp-sha-hmac

    ! Policy NAT access-list - specify conditions under which to NAT for
    VPN
    ! and match interesting VPN traffic
    access-list vpnnat permit ip 192.168.168.0 255.255.255.0 192.168.2.0
    255.255.255.0
    ! perhaps you may want to use :
    ! static (inside,outside) 192.168.1.0 netmask 255.255.255.0 access-list
    vpnnat
    ! or something similar.. not sure... instead of nat 1 and global1..
    ! in both in site A and B.
    nat 1 (inside) access-list vpnnat
    global 1 (outside) 192.168.1.0 192.168.1.255
    ! nat everyone else going to Internet
    nat (inside) 1 0 0
    ! your public IP address or whatever PAT IP add you want
    global (outside) 1 a.b.c.d

    crypto map mymap 20 ipsec-isakmp
    crypto map mymap 20 match address vpnnat
    crypto map mymap 20 set transform-set strong
    ! define remote peer
    crypto map mymap 20 set peer A.b.C.D
    crypto map mymap interface outside
    sysopt connection permit-ipsec


    On PIX B : you may reach site A with 192.168.1.0 addresses

    hostname pixb
    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encrypt 3des
    ! put PIX A address here...
    crypto isakmp key cisco1234 address 1.2.3.4 (PIX A ADDRESS)
    crypto ipsec transform-set strong esp-3des esp-sha-hmac

    ! Policy NAT access-list - specify conditions under which to NAT for
    VPN
    access-list vpnnat permit ip 192.168.168.0 255.255.255.0 192.168.1.0
    255.255.255.0
    nat 1 (inside) access-list vpnnat
    global 1 (outside) 192.168.2.0 192.168.2.255
    ! nat everyone else going to Internet
    nat (inside) 1 0 0
    ! your public IP address or whatever PAT IP add you want
    global (outside) 1 a.b.c.d

    crypto map mymap 20 ipsec-isakmp
    crypto map mymap 20 match address vpnnat
    crypto map mymap 20 set transform-set strong
    ! define remote peer
    crypto map mymap 20 set peer A.b.C.D
    crypto map mymap interface outside
    sysopt connection permit-ipsec
     
    olivier.martin, Dec 3, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.