PAT can now use the same address as the outside interface with the 'interface' keyword:
e.g., global (outside) 1 interface ----- Original Message ----- From: "Patrick Ramsey" To: Sent: Wednesday, October 24, 2001 7:34 AM Subject: RE: PIX with PAT and VPN [7:23490] > You definately want to use a different ip addres for PAT than what you have > set on the interface. I'm surprised PAT is even working, unless cisco has > made some changes to their code recently. > > -Patrick > > >>> "Theodore stout" 10/24/01 02:02AM >>> > I got the same access-lists on both sides and they have been verified by > other people. I know this will not take me down. > > If you can e-mail me the config it would be great! I would like to see how > it works in real life. So far 2 ISPs have failed to give me a working > config. Everything is theoritical and promises but it doesn't work like > Checkpoint. > > What I am fearing is that it is the command "Global (outside) 1 interface), > that is giving me the grief. I think that I will need another IP address > for PAT instead of using the same IP for the interface and PAT. In your > response, you said that the negociation is between (an) public IP address. > Yes this is true, but what if it is the same as the interface? > > So far I have only seen this work with a pool a public IPs.Hansraj Patil > wrote: > > > > I have seen this working. You have to use > > > > nat (inside) 0 access-list 101. > > > > The IPSec & IKE negotiation is between public IP address. So > > the question of > > port limitation > > does not arise. The internal IP addresses are not involved in > > IPSec > > negotiation. > > You use above statement to avoid routing problem between two > > LAN segments. > > > > Just make sure access-list is mirror image on both peers. > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > Sent: Monday, October 22, 2001 1:41 AM > > To: [EMAIL PROTECTED] > > Subject: Re: PIX with PAT and VPN [7:23490] > > > > > > I tried this and it did not work. When IPSEC negociates a VPN > > session > > between the two PIX's, it will PAT an internal device from > > Network A as > > 206.112.71.5 and use 206.112.71.5:500 for the negociation. > > Once another > > device wishes to access a device behind 206.112.71.6, it will > > have to use > > 206.112.71.5:500 as well. Cisco IPSEC will only allow one port > > 500 per IP. > > This means the original device will be moved from port 500 to a > > different > > port. IPSEC only uses port 500 for the negociation and > > therefore the > > original connection fails. > > > > I did as you said but I added another command like this. > > > > Global (outside) 1 interface > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0. > > Nat (inside) 0 access-list 101 > > > > Access-list 101 is the traffic to be encrypted. I have tried > > not to use PAT > > with encrypted data because of the IP:Port limitation problem. > > However, it > > still won't work. > > > > Any more suggestions?[EMAIL PROTECTED] wrote: > > > > > > With PIX you must have one legal address for the outside > > > interface on BOTH > > > PIXs. That's actually enough to do what you want to do. Say > > > that your > > > legal address on PIX1 is 206.112.71.5/30. Go to PIX2 startup > > > ipsec and > > > input "isakmp key 'your key' address 206.112.71.5". Then > > > input "crypto > > > map 'your map-name' 'your sequence number' set peer > > > 206.112.71.5" > > > Say that your legal address on PIX2 is 206.112.71.6/30. Go to > > > PIX1 startup > > > ipsec and input "isakmp key 'your key' address 206.112.71.6" > > > Then input > > > "crypto map 'your map-name' 'your sequence number' set peer > > > 206.112.71.6" > > > > > > Now on PIX1 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0. Then > > > input global > > > (outside) 1 206.112.71.5 > > > Now on PIX2 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0. Then > > > input global > > > (outside) 1 206.112.71.6 > > > Now just complete your isakmp and crypto-map settings and you > > > will be doing > > > one single VPN between peers and PAT to the Internet. That's > > > the best you > > > can do on PIX with only a 30 bit legal subnet mask. > > > > > > John Squeo > > > Technical Specialist > > > Papa John's Corporation > > > (502) 261-4035 > > > > > > > > > > > > > > > "Theodore > > > stout" To: > > > [EMAIL PROTECTED] > > > cc: > > > tudy.com> Subject: PIX with > > > PAT and VPN [7:23490] > > > Sent > > > by: > > > > > > nobody@groupst > > > > > > udy.com > > > > > > > > > 10/19/01 > > > 02:23 > > > > > > AM > > > Please > > > respond > > > to > > > "Theodore > > > > > > stout" > > > > > > > > > > > > > > > > > > > > > Hello everyone. > > > > > > I am trying to implement 2 Internet connectivity solutions > > > while at the > > > same > > > time creating 2 VPN solutions between two sites. What I would > > > like to do > > > it > > > use a PIX 515 at both sites, tunnel IPSEC between the sites > > and > > > still have > > > normal access to the Internet. > > > > > > What my problem is that I only have one IP address per-site. > > > In all of the > > > solutions provided by Cisco, I would need a pool of registered > > > IP addresses > > > for NAT. PAT is not even possible. > > > > > > I know that this VPN-PAT-FW1FW1-PAT-VPN solution is available > > > with > > > Checkpoint. However, I would prefer a Cisco only solution. > > > > > > Any suggestions? > > > > > > Theodore Stout > > > Security Engineer > > > CCSE, CCNA, MCSE Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24023&t=23490 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
