Hi,
How do i in a site 2 site VPN hide my LAN subnet behind the WAN
address ?
My guess is NAT, but i'm unsure how to configure it.
The problem is that the LAN subnet is on the other side as well..
The ressources i need is not located on the same IP subnet.
Thanks
Kenneth
On May 8, 3:39 pm, k...@kjohansen.dk wrote:
> Hi,
>
> How do i in a site 2 site VPN hide my LAN subnet behind the WAN
> address ?
> My guess is NAT, but i'm unsure how to configure it.
>
> The problem is that the LAN subnet is on the other side as well..
> The ressources i need is not located on the same IP subnet.
>
> Thanks
>
> Kenneth
I think it's masquerade, I'm not a cisco guy....
RedForeman
kjo@kjohansen.dk wrote:
> Hi,
>
> How do i in a site 2 site VPN hide my LAN subnet behind the WAN
> address?
> My guess is NAT, but i'm unsure how to configure it.
You want to avoid NAT when using IPSeC.
> The problem is that the LAN subnet is on the other side as well..
Bad. You should seriously tink about changing the addresses for one network.
Wolfgang
In article <1178653142.328348.245030@w5g2000hsg.googlegroups.com>,
>How do i in a site 2 site VPN hide my LAN subnet behind the WAN
>address ?
>My guess is NAT, but i'm unsure how to configure it.
You can use a normal nat/global pair -- in fact, you can use
exactly the nat/global pair you probably already have in place
for regular internet traffic.
The key you have to remember is that crypto map match-address
gets processed *after* NAT, so in your source address field
for the match-address ACL, you will need to put the translated
address. If you are using PIX 6.2 or later, that translated
address would be the keyword 'interface' followed by the interface name.
access-list vpn2HQ permit ip interface outside 123.45.56.0 255.255.255.0
>The problem is that the LAN subnet is on the other side as well..
>The ressources i need is not located on the same IP subnet.
You'll be okay as long as you address the public IPs corresponding
to the remote resource.
It -is- possible on the PIX to arrange two overlapping LAN IP ranges
to talk to each other over VPN, provided that you can arrange
that they refer to each other by different addresses. For example
if the LAN on each is 192.168.1.0/24 then you could arrange
so that packets from one LAN addressed to 192.168.2.0/24 are
forwarded to the corresponding 192.168.1.0/24 address on the other
LAN, and on that second LAN, packets addressed to 192.168.3.0/24
are forwarded to the corresponding 192.168.1.0/24 address on the
first LAN. However, you can not set it up so that you address
everything by 192.168.1.0/24 addresses and the firewall "somehow"
figures out which side of the VPN the target address is on.
(Possibly that could be done with PIX 7.)
Walter Roberson wrote:
> It -is- possible on the PIX to arrange two overlapping LAN IP ranges
> to talk to each other over VPN, provided that you can arrange
> that they refer to each other by different addresses.
Well, I'd recommend to try to stick to the rule of thumb and avoid NAT
between networks connected via VPN.
Of course I see the point that changing the addresses of one network can be
a bit of a problem but after a few days of pain and problems the problems
are usually gone. With NAT and VPN other problems occur and will often last
for quite a long time.
Wolfgang