Hi Sascha,
Here is an example for PIX part:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml
Topology:
---------
(192.168.4.0/24)PIX <--Internet--> VPN concentrator*(192.168.4.0/24)
*Instead of the Checkpoint it is a VPN concentrator at the other side, but this
is no matter now.
Come back with the result, if possible.
Cheers,
Akos
-----Original Message-----
From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST AT
AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of cisco4ng
Sent: 2007. április 15. 18:00
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Another VPN and NAT question
Hi Sascha,
I think it is better if I can illustrate with an example:
FWa has internal network of 192.168.1.0/24. FWa is a CP firewall FWb has
internal network of 192.168.2.0/24. FWb is a CP firewall FWc has internal
network of 192.168.2.0/24. FWc is a Pix firewall.
you have site-to-site vpn between FWa and FWb. No problem so far. Now you are
trying to establish site-2-site vpn between FWa and FWc. Problem indeed.
Solution:
NAT the internal network of FWa from 192.168.1.0/24 to 10.1.1.0/24. In other
words, in the encryption domain of FWa, you will have two networks:
192.168.1.0/24 and 10.1.1.0/24. When you define an Inter-Operable Device for
the Cisco Pix, you will have to include network 10.1.2.0/24 in the remote
encryption domain.
In the address translation tab, do this:
source dest translate source trans
destination
192.168.1.0/24 10.1.2.0/24 10.1.1.0/24 original
10.1.2.0/24 10.1.1.0/24 original 192.168.1.0/24
On the Cisco Pix side, the reverse is true. It is called policy nat on the
pix side.
In summary, from FWA, when you want to communicate with network behind the
Cisco Pix, you will NAT the source to 10.1.1.0/24 and the destination will be
10.1.2.0/24. On the Pix side, the source will be 10.1.2.0/24 and destination
will be 10.1.1.0/24. NO ip address of 192.168.x.0/24 will exist anywhere
inside the VPN tunnel.
Hope that makes sense to you.
cisco4ng
Sascha Picchiantano <sascha AT PICCHIANTANO DOT DE> wrote: Hi,
closely related to the other question I asked a couple of days ago, I was just
thinking about how to configure a site-to-site VPN if the remote peer uses IP
addresses that I already use in another VPN. I guess I could just NAT his
address range to whatever I like and I can work with, but what I can't figure
out is what I would put into the encryption domain of the remote end's gateway
object. His original addresses or the NAT addresses I defined?
I figure that if I use the original addressses, it might not work because I
already have these addresses in another encryption domain and VPN-1 could not
decide which VPN to use...? But if I use the NAT addresses, wouldn't I see tons
of "no valid SA" entries in my log because within the VPN tunnel the IP
addresses are different than those in the enc domain...?
Confusing. Hope my thoughts make sense to you and you can give me some
enlightment :)
Cheers
Sascha
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to LISTSERV AT
amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
---------------------------------
Ahhh...imagining that irresistible "new car" smell?
Check outnew cars at Yahoo! Autos.
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to LISTSERV AT
amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
