I have seen this working. You have to use nat (inside) 0 access-list 101.
The IPSec & IKE negotiation is between public IP address. So the question of port limitation does not arise. The internal IP addresses are not involved in IPSec negotiation. You use above statement to avoid routing problem between two LAN segments. Just make sure access-list is mirror image on both peers. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, October 22, 2001 1:41 AM To: [EMAIL PROTECTED] Subject: Re: PIX with PAT and VPN [7:23490] I tried this and it did not work. When IPSEC negociates a VPN session between the two PIX's, it will PAT an internal device from Network A as 206.112.71.5 and use 206.112.71.5:500 for the negociation. Once another device wishes to access a device behind 206.112.71.6, it will have to use 206.112.71.5:500 as well. Cisco IPSEC will only allow one port 500 per IP. This means the original device will be moved from port 500 to a different port. IPSEC only uses port 500 for the negociation and therefore the original connection fails. I did as you said but I added another command like this. Global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0. Nat (inside) 0 access-list 101 Access-list 101 is the traffic to be encrypted. I have tried not to use PAT with encrypted data because of the IP:Port limitation problem. However, it still won't work. Any more suggestions?[EMAIL PROTECTED] wrote: > > With PIX you must have one legal address for the outside > interface on BOTH > PIXs. That's actually enough to do what you want to do. Say > that your > legal address on PIX1 is 206.112.71.5/30. Go to PIX2 startup > ipsec and > input "isakmp key 'your key' address 206.112.71.5". Then > input "crypto > map 'your map-name' 'your sequence number' set peer > 206.112.71.5" > Say that your legal address on PIX2 is 206.112.71.6/30. Go to > PIX1 startup > ipsec and input "isakmp key 'your key' address 206.112.71.6" > Then input > "crypto map 'your map-name' 'your sequence number' set peer > 206.112.71.6" > > Now on PIX1 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0. Then > input global > (outside) 1 206.112.71.5 > Now on PIX2 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0. Then > input global > (outside) 1 206.112.71.6 > Now just complete your isakmp and crypto-map settings and you > will be doing > one single VPN between peers and PAT to the Internet. That's > the best you > can do on PIX with only a 30 bit legal subnet mask. > > John Squeo > Technical Specialist > Papa John's Corporation > (502) 261-4035 > > > > > "Theodore > stout" To: > [EMAIL PROTECTED] > cc: > tudy.com> Subject: PIX with > PAT and VPN [7:23490] > Sent > by: > > nobody@groupst > > udy.com > > > 10/19/01 > 02:23 > > AM > Please > respond > to > "Theodore > > stout" > > > > > > > Hello everyone. > > I am trying to implement 2 Internet connectivity solutions > while at the > same > time creating 2 VPN solutions between two sites. What I would > like to do > it > use a PIX 515 at both sites, tunnel IPSEC between the sites and > still have > normal access to the Internet. > > What my problem is that I only have one IP address per-site. > In all of the > solutions provided by Cisco, I would need a pool of registered > IP addresses > for NAT. PAT is not even possible. > > I know that this VPN-PAT-FW1FW1-PAT-VPN solution is available > with > Checkpoint. However, I would prefer a Cisco only solution. > > Any suggestions? > > Theodore Stout > Security Engineer > CCSE, CCNA, MCSE Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=23927&t=23490 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
