I. Overview:
After testing ASA8.4 's twice NAT solves the problem of duplication of VPN addresses, and the Internet does not conflict with the internal host, so want to see if the lower version of the Asa/pix can solve the same problem, In the GNS simulation PIX8.0 test, let a person very disappointed, although the PIX can solve the problem of address overlap, but also make the network behind is unable to connect the public network, the reason is actually similar to the router, can not adjust the priority of static NAT, after configuring static NAT, all access to public network traffic is also static NAT , leading to the inability to get on the public net. PIX If the router is configured with L2L VPN, it is possible to solve the problem of address overlap and public network by routers, this is actually similar to the previous test of the two routers to establish L2L VPN solution, but still recorded, at least to revisit the PIX Configuration VPN command.
Two. Basic ideas:
A.pix can not reduce the priority of static NAT, configure static NAT to solve the problem of address overlap, but also make the intranet can not be on the public network.
B. Solve the problem of address overlap and simultaneous public network by establishing a VPN-side router with PIX.
Three. Test topology:
Four. Basic configuration:
A. Headquarters Server Router:
Interface ethernet0/0
IP address 10.1.1.2 255.255.255.0
No shut
IP Route 0.0.0.0 0.0.0.0 10.1.1.1
B. Headquarters PIX Firewall:
Interface E0
IP address 10.1.1.1 255.255.255.0
Nameif Inside
No shut
Interface E1
IP address 202.100.1.1 255.255.255.0
Nameif Outside
No shut
Route outside 0.0.0.0 0.0.0.0 202.100.1.10
C.internet Router:
Interface ethernet0/0
IP address 202.100.1.10 255.255.255.0
No shut
Interface ETHERNET0/1
IP address 202.100.2.10 255.255.255.0
No shut