PIX VPN - Firewalls

This is a discussion on PIX VPN - Firewalls ; Hi, How do i in a site 2 site VPN hide my LAN subnet behind the WAN address ? My guess is NAT, but i'm unsure how to configure it. The problem is that the LAN subnet is on the ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: PIX VPN

  1. PIX VPN

    Hi,

    How do i in a site 2 site VPN hide my LAN subnet behind the WAN
    address ?
    My guess is NAT, but i'm unsure how to configure it.

    The problem is that the LAN subnet is on the other side as well..
    The ressources i need is not located on the same IP subnet.

    Thanks

    Kenneth


  2. Re: PIX VPN

    On May 8, 3:39 pm, k...@kjohansen.dk wrote:
    > Hi,
    >
    > How do i in a site 2 site VPN hide my LAN subnet behind the WAN
    > address ?
    > My guess is NAT, but i'm unsure how to configure it.
    >
    > The problem is that the LAN subnet is on the other side as well..
    > The ressources i need is not located on the same IP subnet.
    >
    > Thanks
    >
    > Kenneth


    I think it's masquerade, I'm not a cisco guy....

    RedForeman


  3. Re: PIX VPN

    kjo@kjohansen.dk wrote:

    > Hi,
    >
    > How do i in a site 2 site VPN hide my LAN subnet behind the WAN
    > address?
    > My guess is NAT, but i'm unsure how to configure it.


    You want to avoid NAT when using IPSeC.

    > The problem is that the LAN subnet is on the other side as well..


    Bad. You should seriously tink about changing the addresses for one network.

    Wolfgang

  4. Re: PIX VPN

    In article <1178653142.328348.245030@w5g2000hsg.googlegroups.c om>,
    wrote:

    >How do i in a site 2 site VPN hide my LAN subnet behind the WAN
    >address ?
    >My guess is NAT, but i'm unsure how to configure it.


    You can use a normal nat/global pair -- in fact, you can use
    exactly the nat/global pair you probably already have in place
    for regular internet traffic.

    The key you have to remember is that crypto map match-address
    gets processed *after* NAT, so in your source address field
    for the match-address ACL, you will need to put the translated
    address. If you are using PIX 6.2 or later, that translated
    address would be the keyword 'interface' followed by the interface name.

    access-list vpn2HQ permit ip interface outside 123.45.56.0 255.255.255.0


    >The problem is that the LAN subnet is on the other side as well..
    >The ressources i need is not located on the same IP subnet.


    You'll be okay as long as you address the public IPs corresponding
    to the remote resource.

    It -is- possible on the PIX to arrange two overlapping LAN IP ranges
    to talk to each other over VPN, provided that you can arrange
    that they refer to each other by different addresses. For example
    if the LAN on each is 192.168.1.0/24 then you could arrange
    so that packets from one LAN addressed to 192.168.2.0/24 are
    forwarded to the corresponding 192.168.1.0/24 address on the other
    LAN, and on that second LAN, packets addressed to 192.168.3.0/24
    are forwarded to the corresponding 192.168.1.0/24 address on the
    first LAN. However, you can not set it up so that you address
    everything by 192.168.1.0/24 addresses and the firewall "somehow"
    figures out which side of the VPN the target address is on.
    (Possibly that could be done with PIX 7.)

  5. Re: PIX VPN

    Walter Roberson wrote:

    > It -is- possible on the PIX to arrange two overlapping LAN IP ranges
    > to talk to each other over VPN, provided that you can arrange
    > that they refer to each other by different addresses.


    Well, I'd recommend to try to stick to the rule of thumb and avoid NAT
    between networks connected via VPN.

    Of course I see the point that changing the addresses of one network can be
    a bit of a problem but after a few days of pain and problems the problems
    are usually gone. With NAT and VPN other problems occur and will often last
    for quite a long time.

    Wolfgang

+ Reply to Thread