RE: PIX with PAT and VPN [7:23490]
Thanks Hansraj! I looked at your config. There is only one command that I do not have isakmp identity outside I am downgrading my IOS to 5.2(5) and 5.2(3) to see if it works. I have had problems with the VPN concentrator 6.x IOS with partner and client tunneling and did the same thing, downgraded to 5.2.21 and got things to work I am confident that this will cause it to work. I additionally got the PAT-VPN and Internet access to work on one side. With a IOS Firewall Router VPN PIX 6.01 VPN PAT. I got 3 devices to encrypt and use the Internet at the same time from the PIX side. I think that to get it working I will need the 5.2 and above IOS. I looked at http://www.cisco.com/warp/public/110/pixhubspoke.html of course. What I found is that there are not Global commands for the PIX's there so it really didn't help me. However, Internet access was available and that configs and the isakmp identity outside command as did your config. If this works and you are ever in Japan I will get you a beer! To everyone else, remember that I have always used the NAT 0 and Global interface commands. Peace Theo Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24203t=23490 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX with PAT and VPN [7:23490]
IPSec does not work with PAT on a PIX. You can with NAT though. http://www.cisco.com/warp/public/707/ipsecnat.html Allen - Original Message - From: Theodore stout To: Sent: Wednesday, October 24, 2001 1:02 AM Subject: RE: PIX with PAT and VPN [7:23490] I got the same access-lists on both sides and they have been verified by other people. I know this will not take me down. If you can e-mail me the config it would be great! I would like to see how it works in real life. So far 2 ISPs have failed to give me a working config. Everything is theoritical and promises but it doesn't work like Checkpoint. What I am fearing is that it is the command Global (outside) 1 interface), that is giving me the grief. I think that I will need another IP address for PAT instead of using the same IP for the interface and PAT. In your response, you said that the negociation is between (an) public IP address. Yes this is true, but what if it is the same as the interface? So far I have only seen this work with a pool a public IPs.Hansraj Patil wrote: I have seen this working. You have to use nat (inside) 0 access-list 101. The IPSec IKE negotiation is between public IP address. So the question of port limitation does not arise. The internal IP addresses are not involved in IPSec negotiation. You use above statement to avoid routing problem between two LAN segments. Just make sure access-list is mirror image on both peers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, October 22, 2001 1:41 AM To: [EMAIL PROTECTED] Subject: Re: PIX with PAT and VPN [7:23490] I tried this and it did not work. When IPSEC negociates a VPN session between the two PIX's, it will PAT an internal device from Network A as 206.112.71.5 and use 206.112.71.5:500 for the negociation. Once another device wishes to access a device behind 206.112.71.6, it will have to use 206.112.71.5:500 as well. Cisco IPSEC will only allow one port 500 per IP. This means the original device will be moved from port 500 to a different port. IPSEC only uses port 500 for the negociation and therefore the original connection fails. I did as you said but I added another command like this. Global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0. Nat (inside) 0 access-list 101 Access-list 101 is the traffic to be encrypted. I have tried not to use PAT with encrypted data because of the IP:Port limitation problem. However, it still won't work. Any more suggestions?[EMAIL PROTECTED] wrote: With PIX you must have one legal address for the outside interface on BOTH PIXs. That's actually enough to do what you want to do. Say that your legal address on PIX1 is 206.112.71.5/30. Go to PIX2 startup ipsec and input isakmp key 'your key' address 206.112.71.5. Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.5 Say that your legal address on PIX2 is 206.112.71.6/30. Go to PIX1 startup ipsec and input isakmp key 'your key' address 206.112.71.6 Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.6 Now on PIX1 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.5 Now on PIX2 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.6 Now just complete your isakmp and crypto-map settings and you will be doing one single VPN between peers and PAT to the Internet. That's the best you can do on PIX with only a 30 bit legal subnet mask. John Squeo Technical Specialist Papa John's Corporation (502) 261-4035 Theodore stout To: [EMAIL PROTECTED] cc: tudy.comSubject: PIX with PAT and VPN [7:23490] Sent by: nobody@groupst udy.com 10/19/01 02:23 AM Please respond to Theodore stout Hello everyone. I am trying to implement 2 Internet connectivity solutions while at the same time creating 2 VPN solutions between two sites. What I would like to do it use a PIX 515 at both sites, tunnel IPSEC between the sites and still have normal access to the Internet. What my problem is that I only have one IP address per-site. In all of the solutions provided by Cisco, I would need a pool of registered IP addresses for NAT. PAT is not even possible. I know that this VPN-PAT-FW1FW1-PAT-VPN solution is available with Checkpoint. However, I would prefer a Cisco only solution. Any suggestions? Theodore Stout Security Engineer CCSE, CCNA, MCSE
RE: PIX with PAT and VPN [7:23490]
You definately want to use a different ip addres for PAT than what you have set on the interface. I'm surprised PAT is even working, unless cisco has made some changes to their code recently. -Patrick Theodore stout 10/24/01 02:02AM I got the same access-lists on both sides and they have been verified by other people. I know this will not take me down. If you can e-mail me the config it would be great! I would like to see how it works in real life. So far 2 ISPs have failed to give me a working config. Everything is theoritical and promises but it doesn't work like Checkpoint. What I am fearing is that it is the command Global (outside) 1 interface), that is giving me the grief. I think that I will need another IP address for PAT instead of using the same IP for the interface and PAT. In your response, you said that the negociation is between (an) public IP address. Yes this is true, but what if it is the same as the interface? So far I have only seen this work with a pool a public IPs.Hansraj Patil wrote: I have seen this working. You have to use nat (inside) 0 access-list 101. The IPSec IKE negotiation is between public IP address. So the question of port limitation does not arise. The internal IP addresses are not involved in IPSec negotiation. You use above statement to avoid routing problem between two LAN segments. Just make sure access-list is mirror image on both peers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, October 22, 2001 1:41 AM To: [EMAIL PROTECTED] Subject: Re: PIX with PAT and VPN [7:23490] I tried this and it did not work. When IPSEC negociates a VPN session between the two PIX's, it will PAT an internal device from Network A as 206.112.71.5 and use 206.112.71.5:500 for the negociation. Once another device wishes to access a device behind 206.112.71.6, it will have to use 206.112.71.5:500 as well. Cisco IPSEC will only allow one port 500 per IP. This means the original device will be moved from port 500 to a different port. IPSEC only uses port 500 for the negociation and therefore the original connection fails. I did as you said but I added another command like this. Global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0. Nat (inside) 0 access-list 101 Access-list 101 is the traffic to be encrypted. I have tried not to use PAT with encrypted data because of the IP:Port limitation problem. However, it still won't work. Any more suggestions?[EMAIL PROTECTED] wrote: With PIX you must have one legal address for the outside interface on BOTH PIXs. That's actually enough to do what you want to do. Say that your legal address on PIX1 is 206.112.71.5/30. Go to PIX2 startup ipsec and input isakmp key 'your key' address 206.112.71.5. Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.5 Say that your legal address on PIX2 is 206.112.71.6/30. Go to PIX1 startup ipsec and input isakmp key 'your key' address 206.112.71.6 Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.6 Now on PIX1 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.5 Now on PIX2 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.6 Now just complete your isakmp and crypto-map settings and you will be doing one single VPN between peers and PAT to the Internet. That's the best you can do on PIX with only a 30 bit legal subnet mask. John Squeo Technical Specialist Papa John's Corporation (502) 261-4035 Theodore stout To: [EMAIL PROTECTED] cc: tudy.comSubject: PIX with PAT and VPN [7:23490] Sent by: nobody@groupst udy.com 10/19/01 02:23 AM Please respond to Theodore stout Hello everyone. I am trying to implement 2 Internet connectivity solutions while at the same time creating 2 VPN solutions between two sites. What I would like to do it use a PIX 515 at both sites, tunnel IPSEC between the sites and still have normal access to the Internet. What my problem is that I only have one IP address per-site. In all of the solutions provided by Cisco, I would need a pool of registered IP addresses for NAT. PAT is not even possible. I know that this VPN-PAT-FW1FW1-PAT-VPN solution is available with Checkpoint. However, I would prefer a Cisco only solution. Any suggestions? Theodore Stout Security Engineer CCSE, CCNA, MCSE Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24016t=23490 -- FAQ, list archives, and subscription info
Re: PIX with PAT and VPN [7:23490]
PAT can now use the same address as the outside interface with the 'interface' keyword: e.g., global (outside) 1 interface - Original Message - From: Patrick Ramsey To: Sent: Wednesday, October 24, 2001 7:34 AM Subject: RE: PIX with PAT and VPN [7:23490] You definately want to use a different ip addres for PAT than what you have set on the interface. I'm surprised PAT is even working, unless cisco has made some changes to their code recently. -Patrick Theodore stout 10/24/01 02:02AM I got the same access-lists on both sides and they have been verified by other people. I know this will not take me down. If you can e-mail me the config it would be great! I would like to see how it works in real life. So far 2 ISPs have failed to give me a working config. Everything is theoritical and promises but it doesn't work like Checkpoint. What I am fearing is that it is the command Global (outside) 1 interface), that is giving me the grief. I think that I will need another IP address for PAT instead of using the same IP for the interface and PAT. In your response, you said that the negociation is between (an) public IP address. Yes this is true, but what if it is the same as the interface? So far I have only seen this work with a pool a public IPs.Hansraj Patil wrote: I have seen this working. You have to use nat (inside) 0 access-list 101. The IPSec IKE negotiation is between public IP address. So the question of port limitation does not arise. The internal IP addresses are not involved in IPSec negotiation. You use above statement to avoid routing problem between two LAN segments. Just make sure access-list is mirror image on both peers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, October 22, 2001 1:41 AM To: [EMAIL PROTECTED] Subject: Re: PIX with PAT and VPN [7:23490] I tried this and it did not work. When IPSEC negociates a VPN session between the two PIX's, it will PAT an internal device from Network A as 206.112.71.5 and use 206.112.71.5:500 for the negociation. Once another device wishes to access a device behind 206.112.71.6, it will have to use 206.112.71.5:500 as well. Cisco IPSEC will only allow one port 500 per IP. This means the original device will be moved from port 500 to a different port. IPSEC only uses port 500 for the negociation and therefore the original connection fails. I did as you said but I added another command like this. Global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0. Nat (inside) 0 access-list 101 Access-list 101 is the traffic to be encrypted. I have tried not to use PAT with encrypted data because of the IP:Port limitation problem. However, it still won't work. Any more suggestions?[EMAIL PROTECTED] wrote: With PIX you must have one legal address for the outside interface on BOTH PIXs. That's actually enough to do what you want to do. Say that your legal address on PIX1 is 206.112.71.5/30. Go to PIX2 startup ipsec and input isakmp key 'your key' address 206.112.71.5. Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.5 Say that your legal address on PIX2 is 206.112.71.6/30. Go to PIX1 startup ipsec and input isakmp key 'your key' address 206.112.71.6 Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.6 Now on PIX1 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.5 Now on PIX2 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.6 Now just complete your isakmp and crypto-map settings and you will be doing one single VPN between peers and PAT to the Internet. That's the best you can do on PIX with only a 30 bit legal subnet mask. John Squeo Technical Specialist Papa John's Corporation (502) 261-4035 Theodore stout To: [EMAIL PROTECTED] cc: tudy.comSubject: PIX with PAT and VPN [7:23490] Sent by: nobody@groupst udy.com 10/19/01 02:23 AM Please respond to Theodore stout Hello everyone. I am trying to implement 2 Internet connectivity solutions while at the same time creating 2 VPN solutions between two sites. What I would like to do it use a PIX 515 at both sites, tunnel IPSEC between the sites and still have normal access to the Internet. What my problem is that I only have one IP address per-site. In all of the solutions provided by Cisco, I would need a pool of registered IP addresses for NAT. PAT
Re: PIX with PAT and VPN [7:23490]
Started with PIX version 5.2 Don Claybrook wrote: PAT can now use the same address as the outside interface with the 'interface' keyword: e.g., global (outside) 1 interface - Original Message - From: Patrick Ramsey To: Sent: Wednesday, October 24, 2001 7:34 AM Subject: RE: PIX with PAT and VPN [7:23490] You definately want to use a different ip addres for PAT than what you have set on the interface. I'm surprised PAT is even working, unless cisco has made some changes to their code recently. -Patrick Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24027t=23490 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX with PAT and VPN [7:23490]
I know sometimes global (outside) 1 interface does not work. Make sure you have correct PIX IOS version. Or just upgrade to diff PIX software version. 5.2(5) should be good choice. Hare are the edited version of working config. access-list 100 permit ip 10.5.1.0 255.255.255.0 10.5.0.0 255.255.255.0 access-list 110 permit ip 10.5.1.0 255.255.255.0 10.5.0.0 255.255.255.0 access-list acl_out permit icmp any any interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 128.32.5.98 255.255.255.0 ip address inside 10.5.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 100 nat (inside) 1 10.5.1.0 255.255.255.0 0 0 access-group acl_out in interface outside route outside 0.0.0.0 0.0.0.0 128.32.5.97 1 no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set standard esp-des esp-md5-hmac crypto map peer_map 10 ipsec-isakmp crypto map peer_map 10 match address 110 crypto map peer_map 10 set peer 128.32.19.194 crypto map peer_map 10 set transform-set standard isakmp enable outside isakmp key 123456 address 128.32.19.194 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 3600 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 23, 2001 11:02 PM To: [EMAIL PROTECTED] Subject: RE: PIX with PAT and VPN [7:23490] I got the same access-lists on both sides and they have been verified by other people. I know this will not take me down. If you can e-mail me the config it would be great! I would like to see how it works in real life. So far 2 ISPs have failed to give me a working config. Everything is theoritical and promises but it doesn't work like Checkpoint. What I am fearing is that it is the command Global (outside) 1 interface), that is giving me the grief. I think that I will need another IP address for PAT instead of using the same IP for the interface and PAT. In your response, you said that the negociation is between (an) public IP address. Yes this is true, but what if it is the same as the interface? So far I have only seen this work with a pool a public IPs.Hansraj Patil wrote: I have seen this working. You have to use nat (inside) 0 access-list 101. The IPSec IKE negotiation is between public IP address. So the question of port limitation does not arise. The internal IP addresses are not involved in IPSec negotiation. You use above statement to avoid routing problem between two LAN segments. Just make sure access-list is mirror image on both peers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, October 22, 2001 1:41 AM To: [EMAIL PROTECTED] Subject: Re: PIX with PAT and VPN [7:23490] I tried this and it did not work. When IPSEC negociates a VPN session between the two PIX's, it will PAT an internal device from Network A as 206.112.71.5 and use 206.112.71.5:500 for the negociation. Once another device wishes to access a device behind 206.112.71.6, it will have to use 206.112.71.5:500 as well. Cisco IPSEC will only allow one port 500 per IP. This means the original device will be moved from port 500 to a different port. IPSEC only uses port 500 for the negociation and therefore the original connection fails. I did as you said but I added another command like this. Global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0. Nat (inside) 0 access-list 101 Access-list 101 is the traffic to be encrypted. I have tried not to use PAT with encrypted data because of the IP:Port limitation problem. However, it still won't work. Any more suggestions?[EMAIL PROTECTED] wrote: With PIX you must have one legal address for the outside interface on BOTH PIXs. That's actually enough to do what you want to do. Say that your legal address on PIX1 is 206.112.71.5/30. Go to PIX2 startup ipsec and input isakmp key 'your key' address 206.112.71.5. Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.5 Say that your legal address on PIX2 is 206.112.71.6/30. Go to PIX1 startup ipsec and input isakmp key 'your key' address 206.112.71.6 Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.6 Now on PIX1 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.5 Now on PIX2 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.6 Now just complete your isakmp and crypto-map settings and you will be doing one single VPN between peers and PAT to the Internet. That's the best you can do on PIX with only a 30 bit legal subnet mask
RE: PIX with PAT and VPN [7:23490]
I have seen this working. You have to use nat (inside) 0 access-list 101. The IPSec IKE negotiation is between public IP address. So the question of port limitation does not arise. The internal IP addresses are not involved in IPSec negotiation. You use above statement to avoid routing problem between two LAN segments. Just make sure access-list is mirror image on both peers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, October 22, 2001 1:41 AM To: [EMAIL PROTECTED] Subject: Re: PIX with PAT and VPN [7:23490] I tried this and it did not work. When IPSEC negociates a VPN session between the two PIX's, it will PAT an internal device from Network A as 206.112.71.5 and use 206.112.71.5:500 for the negociation. Once another device wishes to access a device behind 206.112.71.6, it will have to use 206.112.71.5:500 as well. Cisco IPSEC will only allow one port 500 per IP. This means the original device will be moved from port 500 to a different port. IPSEC only uses port 500 for the negociation and therefore the original connection fails. I did as you said but I added another command like this. Global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0. Nat (inside) 0 access-list 101 Access-list 101 is the traffic to be encrypted. I have tried not to use PAT with encrypted data because of the IP:Port limitation problem. However, it still won't work. Any more suggestions?[EMAIL PROTECTED] wrote: With PIX you must have one legal address for the outside interface on BOTH PIXs. That's actually enough to do what you want to do. Say that your legal address on PIX1 is 206.112.71.5/30. Go to PIX2 startup ipsec and input isakmp key 'your key' address 206.112.71.5. Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.5 Say that your legal address on PIX2 is 206.112.71.6/30. Go to PIX1 startup ipsec and input isakmp key 'your key' address 206.112.71.6 Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.6 Now on PIX1 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.5 Now on PIX2 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.6 Now just complete your isakmp and crypto-map settings and you will be doing one single VPN between peers and PAT to the Internet. That's the best you can do on PIX with only a 30 bit legal subnet mask. John Squeo Technical Specialist Papa John's Corporation (502) 261-4035 Theodore stout To: [EMAIL PROTECTED] cc: tudy.comSubject: PIX with PAT and VPN [7:23490] Sent by: nobody@groupst udy.com 10/19/01 02:23 AM Please respond to Theodore stout Hello everyone. I am trying to implement 2 Internet connectivity solutions while at the same time creating 2 VPN solutions between two sites. What I would like to do it use a PIX 515 at both sites, tunnel IPSEC between the sites and still have normal access to the Internet. What my problem is that I only have one IP address per-site. In all of the solutions provided by Cisco, I would need a pool of registered IP addresses for NAT. PAT is not even possible. I know that this VPN-PAT-FW1FW1-PAT-VPN solution is available with Checkpoint. However, I would prefer a Cisco only solution. Any suggestions? Theodore Stout Security Engineer CCSE, CCNA, MCSE Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23927t=23490 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX with PAT and VPN [7:23490]
I got the same access-lists on both sides and they have been verified by other people. I know this will not take me down. If you can e-mail me the config it would be great! I would like to see how it works in real life. So far 2 ISPs have failed to give me a working config. Everything is theoritical and promises but it doesn't work like Checkpoint. What I am fearing is that it is the command Global (outside) 1 interface), that is giving me the grief. I think that I will need another IP address for PAT instead of using the same IP for the interface and PAT. In your response, you said that the negociation is between (an) public IP address. Yes this is true, but what if it is the same as the interface? So far I have only seen this work with a pool a public IPs.Hansraj Patil wrote: I have seen this working. You have to use nat (inside) 0 access-list 101. The IPSec IKE negotiation is between public IP address. So the question of port limitation does not arise. The internal IP addresses are not involved in IPSec negotiation. You use above statement to avoid routing problem between two LAN segments. Just make sure access-list is mirror image on both peers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, October 22, 2001 1:41 AM To: [EMAIL PROTECTED] Subject: Re: PIX with PAT and VPN [7:23490] I tried this and it did not work. When IPSEC negociates a VPN session between the two PIX's, it will PAT an internal device from Network A as 206.112.71.5 and use 206.112.71.5:500 for the negociation. Once another device wishes to access a device behind 206.112.71.6, it will have to use 206.112.71.5:500 as well. Cisco IPSEC will only allow one port 500 per IP. This means the original device will be moved from port 500 to a different port. IPSEC only uses port 500 for the negociation and therefore the original connection fails. I did as you said but I added another command like this. Global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0. Nat (inside) 0 access-list 101 Access-list 101 is the traffic to be encrypted. I have tried not to use PAT with encrypted data because of the IP:Port limitation problem. However, it still won't work. Any more suggestions?[EMAIL PROTECTED] wrote: With PIX you must have one legal address for the outside interface on BOTH PIXs. That's actually enough to do what you want to do. Say that your legal address on PIX1 is 206.112.71.5/30. Go to PIX2 startup ipsec and input isakmp key 'your key' address 206.112.71.5. Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.5 Say that your legal address on PIX2 is 206.112.71.6/30. Go to PIX1 startup ipsec and input isakmp key 'your key' address 206.112.71.6 Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.6 Now on PIX1 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.5 Now on PIX2 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.6 Now just complete your isakmp and crypto-map settings and you will be doing one single VPN between peers and PAT to the Internet. That's the best you can do on PIX with only a 30 bit legal subnet mask. John Squeo Technical Specialist Papa John's Corporation (502) 261-4035 Theodore stout To: [EMAIL PROTECTED] cc: tudy.comSubject: PIX with PAT and VPN [7:23490] Sent by: nobody@groupst udy.com 10/19/01 02:23 AM Please respond to Theodore stout Hello everyone. I am trying to implement 2 Internet connectivity solutions while at the same time creating 2 VPN solutions between two sites. What I would like to do it use a PIX 515 at both sites, tunnel IPSEC between the sites and still have normal access to the Internet. What my problem is that I only have one IP address per-site. In all of the solutions provided by Cisco, I would need a pool of registered IP addresses for NAT. PAT is not even possible. I know that this VPN-PAT-FW1FW1-PAT-VPN solution is available with Checkpoint. However, I would prefer a Cisco only solution. Any suggestions? Theodore Stout Security Engineer CCSE, CCNA, MCSE Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23997t=23490 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX with PAT and VPN [7:23490]
I tried this and it did not work. When IPSEC negociates a VPN session between the two PIX's, it will PAT an internal device from Network A as 206.112.71.5 and use 206.112.71.5:500 for the negociation. Once another device wishes to access a device behind 206.112.71.6, it will have to use 206.112.71.5:500 as well. Cisco IPSEC will only allow one port 500 per IP. This means the original device will be moved from port 500 to a different port. IPSEC only uses port 500 for the negociation and therefore the original connection fails. I did as you said but I added another command like this. Global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0. Nat (inside) 0 access-list 101 Access-list 101 is the traffic to be encrypted. I have tried not to use PAT with encrypted data because of the IP:Port limitation problem. However, it still won't work. Any more suggestions?[EMAIL PROTECTED] wrote: With PIX you must have one legal address for the outside interface on BOTH PIXs. That's actually enough to do what you want to do. Say that your legal address on PIX1 is 206.112.71.5/30. Go to PIX2 startup ipsec and input isakmp key 'your key' address 206.112.71.5. Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.5 Say that your legal address on PIX2 is 206.112.71.6/30. Go to PIX1 startup ipsec and input isakmp key 'your key' address 206.112.71.6 Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.6 Now on PIX1 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.5 Now on PIX2 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.6 Now just complete your isakmp and crypto-map settings and you will be doing one single VPN between peers and PAT to the Internet. That's the best you can do on PIX with only a 30 bit legal subnet mask. John Squeo Technical Specialist Papa John's Corporation (502) 261-4035 Theodore stout To: [EMAIL PROTECTED] cc: tudy.comSubject: PIX with PAT and VPN [7:23490] Sent by: nobody@groupst udy.com 10/19/01 02:23 AM Please respond to Theodore stout Hello everyone. I am trying to implement 2 Internet connectivity solutions while at the same time creating 2 VPN solutions between two sites. What I would like to do it use a PIX 515 at both sites, tunnel IPSEC between the sites and still have normal access to the Internet. What my problem is that I only have one IP address per-site. In all of the solutions provided by Cisco, I would need a pool of registered IP addresses for NAT. PAT is not even possible. I know that this VPN-PAT-FW1FW1-PAT-VPN solution is available with Checkpoint. However, I would prefer a Cisco only solution. Any suggestions? Theodore Stout Security Engineer CCSE, CCNA, MCSE Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23755t=23490 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX with PAT and VPN [7:23490]
Hello everyone. I am trying to implement 2 Internet connectivity solutions while at the same time creating 2 VPN solutions between two sites. What I would like to do it use a PIX 515 at both sites, tunnel IPSEC between the sites and still have normal access to the Internet. What my problem is that I only have one IP address per-site. In all of the solutions provided by Cisco, I would need a pool of registered IP addresses for NAT. PAT is not even possible. I know that this VPN-PAT-FW1FW1-PAT-VPN solution is available with Checkpoint. However, I would prefer a Cisco only solution. Any suggestions? Theodore Stout Security Engineer CCSE, CCNA, MCSE Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23490t=23490 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX with PAT and VPN [7:23490]
With PIX you must have one legal address for the outside interface on BOTH PIXs. That's actually enough to do what you want to do. Say that your legal address on PIX1 is 206.112.71.5/30. Go to PIX2 startup ipsec and input isakmp key 'your key' address 206.112.71.5. Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.5 Say that your legal address on PIX2 is 206.112.71.6/30. Go to PIX1 startup ipsec and input isakmp key 'your key' address 206.112.71.6 Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.6 Now on PIX1 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.5 Now on PIX2 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.6 Now just complete your isakmp and crypto-map settings and you will be doing one single VPN between peers and PAT to the Internet. That's the best you can do on PIX with only a 30 bit legal subnet mask. John Squeo Technical Specialist Papa John's Corporation (502) 261-4035 Theodore stout To: [EMAIL PROTECTED] Subject: PIX with PAT and VPN [7:23490] Sent by: nobody@groupst udy.com 10/19/01 02:23 AM Please respond to Theodore stout Hello everyone. I am trying to implement 2 Internet connectivity solutions while at the same time creating 2 VPN solutions between two sites. What I would like to do it use a PIX 515 at both sites, tunnel IPSEC between the sites and still have normal access to the Internet. What my problem is that I only have one IP address per-site. In all of the solutions provided by Cisco, I would need a pool of registered IP addresses for NAT. PAT is not even possible. I know that this VPN-PAT-FW1FW1-PAT-VPN solution is available with Checkpoint. However, I would prefer a Cisco only solution. Any suggestions? Theodore Stout Security Engineer CCSE, CCNA, MCSE Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23514t=23490 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]