Monday, December 15, 2008

PIX/ASA 7.x and later: Site to Site (L2L) IPsec VPN with Policy NAT(Overlapping Private Networks)
Configuration Example
Document ID: 99122
Introduction
Prerequisites
Requirements
Components Used
Related Products
Conventions
Configure
Network Diagram
Configurations
Verify
Show Commands from PIX−A
Show Commands from PIX−B
Troubleshoot
Clear Security Associations
Troubleshooting Commands
NetPro Discussion Forums − Featured Conversations
Related Information
Introduction
This document describes the steps used to translate (NAT) the VPN traffic from one end that travel over a
LAN−to−LAN (L2L) IPsec tunnel between two security appliances and also PAT the Internet traffic. Each
security appliance has a private protected network behind it.
The network 192.168.1.0 in PIX−A is translated to 172.18.1.0 network and send the VPN traffic through the
IPsec tunnel. This type of translation at the VPN end point is useful to avoid the conflict of the same networks
(Overlapping networks) behind the local and remote security appliances.
In L2L VPN, you can initiate the IPsec tunnel from either side of tunnel end points. In this scenario, PIX−A of
inside network (192.168.1.0) is translated to 172.18.1.0 network using Policy NAT for VPN traffic. Because
of this translation, the source network of the interesting traffic 172.18.1.0 is not reachable from PIX−B. If you
try to initiate the tunnel from the PIX−B, the destination address of the VPN interesting traffic 172.18.1.0 , for
example, natted network address of PIX−A, is not reachable. So you must initiate the VPN tunnel only from
the PIX−A.
Prerequisites
Requirements
Ensure that you have configured the PIX Security Appliance with IP addresses on the interfaces and have
basic connectivity before you proceed with this configuration example.