Re: PIX with PAT and VPN [7:23490]

Fri, 19 Oct 2001 06:27:04 -0700 

With PIX you must have one legal address for the outside interface on BOTH
PIXs.  That's actually enough to do what you want to do.  Say that your
legal address on PIX1 is 206.112.71.5/30.  Go to PIX2 startup ipsec and
input  "isakmp key 'your key' address 206.112.71.5".  Then input "crypto
map 'your map-name' 'your sequence number' set peer 206.112.71.5"
Say that your legal address on PIX2 is 206.112.71.6/30.  Go to PIX1 startup
ipsec and input  "isakmp key 'your key' address 206.112.71.6" Then input
"crypto map 'your map-name' 'your sequence number' set peer 206.112.71.6"

Now on PIX1 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.    Then input global
(outside) 1 206.112.71.5
Now on PIX2 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.    Then input global
(outside) 1 206.112.71.6
Now just complete your isakmp and crypto-map settings and you will be doing
one single VPN between peers and PAT to the Internet.  That's the best you
can do on PIX with only a 30 bit legal subnet mask.

John Squeo
Technical Specialist
Papa John's Corporation
(502) 261-4035


                                                                                       
                  
                   
"Theodore
                    stout"               To:    
[EMAIL PROTECTED]
                                Subject:     PIX with PAT and VPN
[7:23490]
                    Sent
by:
                   
nobody@groupst
                   
udy.com
                                                                                       
                  
                                                                                       
                  
                    10/19/01
02:23
                   
AM
                    Please
respond
                    to
"Theodore
                   
stout"
                                                                                       
                  
                                                                                       
                  




Hello everyone.

I am trying to implement 2 Internet connectivity solutions while at the
same
time creating 2 VPN solutions between two sites.  What I would like to do
it
use a PIX 515 at both sites, tunnel IPSEC between the sites and still have
normal access to the Internet.

What my problem is that I only have one IP address per-site.  In all of the
solutions provided by Cisco, I would need a pool of registered IP addresses
for NAT.  PAT is not even possible.

I know that this  VPN-PAT-FW1FW1-PAT-VPN solution is available with
Checkpoint.  However, I would prefer a Cisco only solution.

Any suggestions?

Theodore Stout
Security Engineer
CCSE, CCNA, MCSE




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=23514&t=23490
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to