Pix to Pix overlapping networks

[sunyasee]

Has anyone ever configured a Pix to Pix VPN with overlapping networks? Is this possible? I have found examples of Pix to VPN Concentrator, but have not seen an example of Pix to Pix. I need the whole networks at each side to talk to each other.

Any help would be gladly appreciated!

Thanks

----

Sunyasee

 

[colinT23]

Hi,

Do you mean both networks are on the same subnet ? If so, then no, this won't work. Both LAN's need to be on different subnets.

Regards Colin.

 

[Antelope]

Not true, you can NAT your internal networks to different addresses. Look at this document:

http://www.cisco.com/en/US/customer...s_configuration_example09186a00800949f1.shtml

 

[sunyasee]

Hi Antelope

I used that example but was still unable to get it to work.
In the end I used Nat on the PIXes to chnage the internal address and did the VPN p2p on the Internet routers. That was the only way I can get it to work!

Thanks

----

Sunyasee

 

[dopehead]

I have done this in e few different places, the only thing you actually have to do is nat the traffic before it is put through the tunnel, only problem is that you get lotsa name resolution problems if you run a windows environment through this.

example :
if each pix has 192.168.1.0/24 on its inside interface you could do it like this :
PIX A :
static (inside,outside) 192.168.2.0 192.168.1.0 netmask 255.255.255.0
PIX B :
static (inside,outside) 192.168.3.0 192.168.1.0 netmask 255.255.255.0

Then your crypto acl would be :

PIX A :
access-list vpn permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
PIX B :
access-list vpn permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0


Quite simple actually

Network Systems Engineer
CCNA/CQS/CCSP/Infosec
Check the danish Cisco CSA Forum here :

http://www.csaforum.dk