VPN, from nat without VPN to nat with it

Hi,

I am not a Cisco PIX guru, I just need to know if something is
possible ;-)

On a central site, I'd have a PIX 515 with VPN. On remote sites, a lot
of PIX 506 with VPN capabilities too.

Is it possible to do so.

On the central site, we'd use real IP addressing for the servers. Ie,
195.238.10.0/26 with .1 for the firewall, ,2, .3, .4 for the servers.

On the renote site, we have most of the time a Private Network
according to the RFC hide-nated to the IP of the external interface of
the firewall.

So, now, the RFC hide-nated networks get the external Ip of the PIX
506 firewall if the need to get into 195.238.10.0/26. It works ok.

Now, for security reasons, we'd need to have the nated data flow to be
VPN encrypted and auth.

What to add into the PIX 506 and PIX 515 to achieve so?

Thank you,

Allan

 

:On a central site, I'd have a PIX 515 with VPN. On remote sites, a lot
f PIX 506 with VPN capabilities too.

:Is it possible to do so.

:On the central site, we'd use real IP addressing for the servers. Ie,
:195.238.10.0/26 with .1 for the firewall, ,2, .3, .4 for the servers.

:On the renote site, we have most of the time a Private Network
:according to the RFC hide-nated to the IP of the external interface of
:the firewall.

:So, now, the RFC hide-nated networks get the external Ip of the PIX
:506 firewall if the need to get into 195.238.10.0/26. It works ok.

:Now, for security reasons, we'd need to have the nated data flow to be
:VPN encrypted and auth.

:What to add into the PIX 506 and PIX 515 to achieve so?

If the data is going through a VPN to the remote PIX, it is
always encrypted, using the transform chosen negotiated between
the two PIXes as the first one in ocmmon between the two
crypto map transform lists. IPSec does in theory allow for a null
encryption, but the PIX does not give you a way to specify null
encryption, so you cannot get the PIX to use an unencrypted tunnel
even if you wanted to.


For authentication, what you should do is enable isakmp nat-traversal
on both PIX (requires 6.3(3)) and then include an ah transform in
the transform set; you will also need to ensure that UDP 4500 is open
all the way between the two PIXes.

There is, though, a logical inconsistancy between doing NAT and
expecting to be able to do IP authentication (AH), so it is not clear
to me what you expect the AH to do for you in terms of security.
Usually, if you want authentication to be taking place, then you are
not deliberately NAT'ing the traffic, at least not at the PIX level.
nat-traversal is really for the case where something downstream
beyond the PIX is NAT'ing. If you want AH, you would normally use
nat 0 access-list to allow the internal IP addresses to be seen
by the remote side. [This does, though, require that you have
a different private IP address range for each remote site.]