You're right. When I sent this email, the user didn't spell clearly that both sides uses 10.x.x.x/8. If that is the case, then both sides have to NAT to something else in order for this to work properly. The point I am trying to make is that NAT on CP is much easier than it is on Pix.
no-need to-list <[EMAIL PROTECTED]> wrote: I respectfully disagree, If the Cisco Pix side has to reach a host inside the Checkpoint side....it has to translate...immaterial if the Cisco side wants or not or he is unwilling or he is scared. This is basic networks 101, duplicate IP address or networks cannot co-exist in the same connected environment, being a VPN or Wired or Wireless networks is not the issue here. Use any range within the IANA for translation.....172.16.x.x thru 172.31.x.x or 192.168.x.x if both side are using 10.x.x.x internally ----- Original Message ---- From: cisco4ng To: [email protected] Sent: Sunday, April 15, 2007 10:47:24 AM Subject: Re: [FW-1] VPN between R55 and Cisco PIX Hi Sascha, You can either do it on your end or he can do it on his end. The result will be the same. However, having work with both platforms, Cisco Pix and Checkpoint, I will say that it is much easier to NAT on Checkpoint than it is on Cisco Pix. I speculate that he does not want to NAT on his end and he wants you to NAT on your side because he is afraid of taking down his network unnecessarily with cisco pix policy NAT. If I were him, I would try to do the same thing as well. When it comes to VPN, cisco pix configuration is the worst, especially with NAT inside the tunnel. In this case, you just have to NAT your stuffs to something that he can use. Good luc Sascha Picchiantano wrote: On 13.04.2007, at 13:27, cisco4ng wrote: > well, yes and no. Let say that you use 10.0.0.0/8 and your partner > also uses > 10.0.0.0/8 then you have no choice but to NAT on both sides such as > you will > NAT your side to 129.0.0.0/8 and the other side will NAT to > 130.0.0.0/8 in order > for this to work. Ok, thanks, but let's say we do not want to access his 10.0.0.0 network but a 192.168.x.x network. He says he is using 10.0.0.0 on another VPN already and that's the reason he asks us to NAT. In this scenario, would it be enough if he'd NAT our 10.0.0.0 to something that he can deal with? Since we do not need to talk to his side's 10.0.0.0 but to another network on his end, we don't need him to translate his end... So the question basically is; Is it technically possible on a Cisco PIX to apply NAT to the source IPs of incoming VPN traffic, without "letting the peer site know about it"? Or would this mess up IKE handshaking stuff (as far as I know the networks to be used in a VPN are exchanged in some sort of quick mode or whatever)? Thanks Sascha ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Ahhh...imagining that irresistible "new car" smell? Check outnew cars at Yahoo! Autos. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Ahhh...imagining that irresistible "new car" smell? Check outnew cars at Yahoo! Autos. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
