I tried this and it did not work. When IPSEC negociates a VPN session between the two PIX's, it will PAT an internal device from Network A as 206.112.71.5 and use 206.112.71.5:500 for the negociation. Once another device wishes to access a device behind 206.112.71.6, it will have to use 206.112.71.5:500 as well. Cisco IPSEC will only allow one port 500 per IP. This means the original device will be moved from port 500 to a different port. IPSEC only uses port 500 for the negociation and therefore the original connection fails.
I did as you said but I added another command like this. Global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0. Nat (inside) 0 access-list 101 Access-list 101 is the traffic to be encrypted. I have tried not to use PAT with encrypted data because of the IP:Port limitation problem. However, it still won't work. Any more suggestions?[EMAIL PROTECTED] wrote: > > With PIX you must have one legal address for the outside > interface on BOTH > PIXs. That's actually enough to do what you want to do. Say > that your > legal address on PIX1 is 206.112.71.5/30. Go to PIX2 startup > ipsec and > input "isakmp key 'your key' address 206.112.71.5". Then > input "crypto > map 'your map-name' 'your sequence number' set peer > 206.112.71.5" > Say that your legal address on PIX2 is 206.112.71.6/30. Go to > PIX1 startup > ipsec and input "isakmp key 'your key' address 206.112.71.6" > Then input > "crypto map 'your map-name' 'your sequence number' set peer > 206.112.71.6" > > Now on PIX1 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0. Then > input global > (outside) 1 206.112.71.5 > Now on PIX2 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0. Then > input global > (outside) 1 206.112.71.6 > Now just complete your isakmp and crypto-map settings and you > will be doing > one single VPN between peers and PAT to the Internet. That's > the best you > can do on PIX with only a 30 bit legal subnet mask. > > John Squeo > Technical Specialist > Papa John's Corporation > (502) 261-4035 > > > > > > "Theodore > stout" To: > [EMAIL PROTECTED] > cc: > tudy.com> Subject: PIX with > PAT and VPN [7:23490] > Sent > by: > > nobody@groupst > > udy.com > > > > > 10/19/01 > 02:23 > > AM > Please > respond > to > "Theodore > > stout" > > > > > > > > > Hello everyone. > > I am trying to implement 2 Internet connectivity solutions > while at the > same > time creating 2 VPN solutions between two sites. What I would > like to do > it > use a PIX 515 at both sites, tunnel IPSEC between the sites and > still have > normal access to the Internet. > > What my problem is that I only have one IP address per-site. > In all of the > solutions provided by Cisco, I would need a pool of registered > IP addresses > for NAT. PAT is not even possible. > > I know that this VPN-PAT-FW1FW1-PAT-VPN solution is available > with > Checkpoint. However, I would prefer a Cisco only solution. > > Any suggestions? > > Theodore Stout > Security Engineer > CCSE, CCNA, MCSE > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=23755&t=23490 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
