Hi Mates,
Am not the strongest security expect, so was wondering if someone could
throw me a bone; I have a requirement for a site-to-site VPN connecting to
a third party network.
The issue is, the third party has other clients whose private IP range are
the same as ours, so a possible solution is to translate our inside range
to our public IP.
I have a couple of site-to-site VPN within our environment which requires
no translation, and i normally use the template below. Any ideas? Thanks
{My Local Subnet} 192.168.1.0/24 [public ip 1.1.1.1] <---vpn----> [2.2.2.2]
172.21.17.0/24 { ThirdParty }
Template, Site-to-Site VPN
=======================
object network My_Local_Subnet
subnet 192.168.1.0 255.255.255.0
object network ThirdParty_Remote_Subnet
subnet 172.21.17.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip object My_Local_Subnet
object ThirdParty_Remote_Subnet
nat (inside,any) source static My_Local_Subnet My_Local_Subnet destination
static ThirdParty_Remote_Subnet ThirdParty_Remote_Subnet no-proxy-arp
route-lookup
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
ikev1 pre-shared-key cisco123
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set pfs group2
crypto map outside_map 1 set peer 2.2.2.2
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 1 set reverse-route
Blogs and organic groups at http://www.ccie.net
Received on Wed Nov 06 2013 - 08:38:47 ART
This archive was generated by hypermail 2.2.0 : Wed Jan 01 2014 - 20:26:19 ART