Re: Site-to-Site VPN, translate inside host to public IP from Piotr Kaluzny on 2013-11-06 (Ccielab archives 12/2013)

From: Piotr Kaluzny <piotrk_at_ipexpert.com>
Date: Wed, 6 Nov 2013 17:55:37 +0100

Charlie

Just do the translation to whatever you want and then in the encryption ACL
(Proxy ACL) call out the translated addresses instead of the original ones.

Regards,

--
Piotr Kaluzny
CCIE #25665 (Security), CCSP, CCNP
Sr. Technical Instructor - IPexpert, Inc.
URL: http://www.IPexpert.com
***Want to win a free iPad mini? Just follow us on
Twitter<http://www.twitter.com/ipexpert>or "Like" our
Facebook <http://www.facebook.com/ipexpert> page and be entered into a
weekly drawing!
<http://www.IPexpert.com>
On Wed, Nov 6, 2013 at 4:38 PM, Charlie_CA <spycharlies_at_gmail.com> wrote:
> Hi Mates,
>
> Am not the strongest security expect, so was wondering if someone could
> throw me a bone; I have a requirement for a site-to-site VPN connecting to
> a third party network.
>
>
> The issue is, the third party has other clients whose private IP range are
> the same as ours, so a possible solution is to translate our inside range
> to our public IP.
>
>
> I have a couple of site-to-site VPN within our environment which requires
> no translation, and i normally use the template below. Any ideas? Thanks
>
>
> {My Local Subnet} 192.168.1.0/24 [public ip 1.1.1.1] <---vpn---->
> [2.2.2.2]
> 172.21.17.0/24 { ThirdParty }
>
>
> Template, Site-to-Site VPN
>
> =======================
>
> object network My_Local_Subnet
>
> subnet 192.168.1.0 255.255.255.0
>
>
> object network ThirdParty_Remote_Subnet
>
> subnet 172.21.17.0 255.255.255.0
>
>
> access-list outside_cryptomap_1 extended permit ip object My_Local_Subnet
> object ThirdParty_Remote_Subnet
>
> nat (inside,any) source static My_Local_Subnet My_Local_Subnet destination
> static ThirdParty_Remote_Subnet ThirdParty_Remote_Subnet no-proxy-arp
> route-lookup
>
>
> tunnel-group 2.2.2.2 type ipsec-l2l
>
> tunnel-group 2.2.2.2 ipsec-attributes
>
> ikev1 pre-shared-key cisco123
>
>
> crypto ikev1 policy 1
>
> authentication pre-share
>
> encryption 3des
>
> hash md5
>
> group 2
>
> lifetime 86400
>
>
> crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
>
>
> crypto map outside_map 1 match address outside_cryptomap_1
>
> crypto map outside_map 1 set pfs group2
>
> crypto map outside_map 1 set peer 2.2.2.2
>
> crypto map outside_map 1 set ikev1 transform-set ESP-3DES-MD5
>
> crypto map outside_map 1 set nat-t-disable
>
> crypto map outside_map 1 set reverse-route
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net

Received on Wed Nov 06 2013 - 17:55:37 ART

This archive was generated by hypermail 2.2.0 : Wed Jan 01 2014 - 20:26:19 ART