I got the same access-lists on both sides and they have been verified by other people. I know this will not take me down.
If you can e-mail me the config it would be great! I would like to see how it works in real life. So far 2 ISPs have failed to give me a working config. Everything is theoritical and promises but it doesn't work like Checkpoint. What I am fearing is that it is the command "Global (outside) 1 interface), that is giving me the grief. I think that I will need another IP address for PAT instead of using the same IP for the interface and PAT. In your response, you said that the negociation is between (an) public IP address. Yes this is true, but what if it is the same as the interface? So far I have only seen this work with a pool a public IPs.Hansraj Patil wrote: > > I have seen this working. You have to use > > nat (inside) 0 access-list 101. > > The IPSec & IKE negotiation is between public IP address. So > the question of > port limitation > does not arise. The internal IP addresses are not involved in > IPSec > negotiation. > You use above statement to avoid routing problem between two > LAN segments. > > Just make sure access-list is mirror image on both peers. > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Monday, October 22, 2001 1:41 AM > To: [EMAIL PROTECTED] > Subject: Re: PIX with PAT and VPN [7:23490] > > > I tried this and it did not work. When IPSEC negociates a VPN > session > between the two PIX's, it will PAT an internal device from > Network A as > 206.112.71.5 and use 206.112.71.5:500 for the negociation. > Once another > device wishes to access a device behind 206.112.71.6, it will > have to use > 206.112.71.5:500 as well. Cisco IPSEC will only allow one port > 500 per IP. > This means the original device will be moved from port 500 to a > different > port. IPSEC only uses port 500 for the negociation and > therefore the > original connection fails. > > I did as you said but I added another command like this. > > Global (outside) 1 interface > nat (inside) 1 0.0.0.0 0.0.0.0 0 0. > Nat (inside) 0 access-list 101 > > Access-list 101 is the traffic to be encrypted. I have tried > not to use PAT > with encrypted data because of the IP:Port limitation problem. > However, it > still won't work. > > Any more suggestions?[EMAIL PROTECTED] wrote: > > > > With PIX you must have one legal address for the outside > > interface on BOTH > > PIXs. That's actually enough to do what you want to do. Say > > that your > > legal address on PIX1 is 206.112.71.5/30. Go to PIX2 startup > > ipsec and > > input "isakmp key 'your key' address 206.112.71.5". Then > > input "crypto > > map 'your map-name' 'your sequence number' set peer > > 206.112.71.5" > > Say that your legal address on PIX2 is 206.112.71.6/30. Go to > > PIX1 startup > > ipsec and input "isakmp key 'your key' address 206.112.71.6" > > Then input > > "crypto map 'your map-name' 'your sequence number' set peer > > 206.112.71.6" > > > > Now on PIX1 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0. Then > > input global > > (outside) 1 206.112.71.5 > > Now on PIX2 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0. Then > > input global > > (outside) 1 206.112.71.6 > > Now just complete your isakmp and crypto-map settings and you > > will be doing > > one single VPN between peers and PAT to the Internet. That's > > the best you > > can do on PIX with only a 30 bit legal subnet mask. > > > > John Squeo > > Technical Specialist > > Papa John's Corporation > > (502) 261-4035 > > > > > > > > > > "Theodore > > stout" To: > > [EMAIL PROTECTED] > > cc: > > tudy.com> Subject: PIX with > > PAT and VPN [7:23490] > > Sent > > by: > > > > nobody@groupst > > > > udy.com > > > > > > 10/19/01 > > 02:23 > > > > AM > > Please > > respond > > to > > "Theodore > > > > stout" > > > > > > > > > > > > > > Hello everyone. > > > > I am trying to implement 2 Internet connectivity solutions > > while at the > > same > > time creating 2 VPN solutions between two sites. What I would > > like to do > > it > > use a PIX 515 at both sites, tunnel IPSEC between the sites > and > > still have > > normal access to the Internet. > > > > What my problem is that I only have one IP address per-site. > > In all of the > > solutions provided by Cisco, I would need a pool of registered > > IP addresses > > for NAT. PAT is not even possible. > > > > I know that this VPN-PAT-FW1FW1-PAT-VPN solution is available > > with > > Checkpoint. However, I would prefer a Cisco only solution. > > > > Any suggestions? > > > > Theodore Stout > > Security Engineer > > CCSE, CCNA, MCSE > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=23997&t=23490 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
