[c-nsp] PIX L2L tunnel and "NAT-before-Ipsec"
Brian Feeny
signal at shreve.net
Thu Nov 11 21:08:36 EST 2004
So basically your saying both ends of the VPN are using the same
network subnet
for their internal networks, and your wanting to mitigate that issue by
using NAT to
mask one side. I would think this is pretty common, since most SOHO
type setups
are using 192.168.0.x or 192.168.1.x, etc. so clashes are bound to
happen.
Brian
On Nov 11, 2004, at 4:16 PM, Nicolaj Ottsen wrote:
> Hi,
>
> I need a hint, so naturaly I turn to you :)
>
> Somebody claims that it is posible to translate inside trafic to an
> outside Address before sending the trafic through an Ipsec tunnnel.
> This
> is done so the other end can support tunnels from many clients with
> identical internal addresses, obviosly smart at the other end, but does
> the PIX support this fancy feature ?
>
> Should I just omit the Nat0 access-list and make a specific Nat entry
> to
> force the allowed inside hosts to translate to a separate outside
> address ?
> Do I need statics to permit trafic from the other end or will it be
> covered by "sysopt connection permit-ipsec" ?
>
> Sniff....
>
> global (outside) 3 5.5.5.5
> nat (inside) 3 10.0.0.10 255.255.250.255
>
> access-list outside_cryptomap_202 permit ip host 5.5.5.5 7.7.7.7
> 255.255.255.0
>
> sysopt connection permit-ipsec
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto map outside_map 20 ipsec-isakmp
> crypto map outside_map 20 match address outside_cryptomap_202
> crypto map outside_map 20 set pfs group2
> crypto map outside_map 20 set peer 4.4.4.4
> crypto map outside_map 20 set transform-set strong
> crypto map outside_map 20 set security-association lifetime seconds
> 28800 kilobytes 50000
> crypto map outside_map interface outside
> isakmp enable outside
> isakmp key ******** address 4.4.4.4 netmask 255.255.255.255 no-xauth
> no-config-mode
> isakmp identity address
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption 3des
> isakmp policy 20 hash sha
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 28800
>
> Yes, I could just test it myself. But unfortunately that's not a
> posibility just now - sorry.
>
> /Nicolaj
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20041111/b84c740c/PGP.bin
More information about the cisco-nsp
mailing list