Re: VPN Overlapping issue from manoj prajapati on 2009-10-09 (Ccielab archives 10/2009)

From: manoj prajapati <manoj4784_at_gmail.com>
Date: Fri, 9 Oct 2009 10:40:10 +0530

Hi Ryan,

Yes, each customer having an individual internet connection,

As mention in your earlier mail, is it necessary to change the cust 2
private ip address ? coz, cust2 having a different ip range

Here is the config what i have done on PIX,

static (inside,outside) 10.2.3.0 access-list TICTAC
access-list TICTAC permit ip 10.2.2.0 255.255.255.0 10.10.10.0
255.255.255.0

crypto ACL:
access-list crypto permit ip 10.2.3.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list nonat permit ip host 10.2.2.0 255.255.255.0 10.10.10.0
255.255.255.0
nat (inside) 0 access-list nonat

show run | i global|nat|access-list

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

on the cust2(checkpoint) they have allowed 3 ip's 10.2.3.1, 10.2.3.2 and
10.2.3.3

Regards,
Manoj

On Thu, Oct 8, 2009 at 7:20 PM, Ryan West <rwest_at_zyedge.com> wrote:

> Manoj,
>
>
>
> Do each of the customers have their connection to the internet or is cust1
> getting Internet via cust2? If cust1 has a connection to the internet,
then
> youre probably just missing a NAT statement for traffic that doesnt fall
> within the NAT access-list profile. Youll also have to define a global
for
> it as well. If you do have an Internet connection at cust1, please post
the
> following sanitized output:
>
>
>
> show ip
>
> show run | i global|nat|access-list
>
>
>
> If it does not have a direct Internet connection, please explain the
> topology in greater detail.
>
>
>
> -ryan
>
>
>
> *From:* manoj prajapati [mailto:manoj4784_at_gmail.com]
> *Sent:* Thursday, October 08, 2009 3:03 AM
> *To:* Ryan West
> *Cc:* cisco_at_groupstudy.com; Cisco certification
> *Subject:* Re: VPN Overlapping issue
>
>
>
> Hi Ryan,
>
>
>
> Very good explanation, Done the same as u have said........
>
>
>
> Now i m able to ping the customer end (CUST2)server. But, *Unable to
> browse internet* from Cust1. Is there anything to do with? applied and
> remove the nonat statement. nothing is happening
>
>
>
> > > the private ip address is ,
>
> > > Cust1 ---- 10.2.2.0 (PIX)
> > > Cust2 ---- 10.10.10.0 (Checkpoing Nokia)
> > > Cust3 ---- 10.2.2.0 (ASA)
> > >
> > > connectivity is Cust1 ---- Cust2 ---- Cust3
> > > | | |
> > > 10.2.2.0 10.10.10.0 10.2.2.0

Blogs and organic groups at http://www.ccie.net
Received on Fri Oct 09 2009 - 10:40:10 ART

This archive was generated by hypermail 2.2.0 : Sun Nov 01 2009 - 07:50:59 ART