Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco Pix natting VPN

Posted on 2004-03-24
9
Medium Priority
?
4,602 Views
Last Modified: 2013-11-16
I am really struggling to get my head around this so any help is really appreciated.
I am trying to setup a VPN between a Cisco PIX and a Cisco Concentrator, the problem is that all the subnets on my side (pix) are already being used on the partners side (concentrator). To get around this we thought of natting the connection. So we decided on a subnet and I added it to the nat pool and started creating the VPN using the PDM wizard but when it finishes a translation exemption rule is created for the new VPN.

What I can't figure out is how to make any traffic headed for the partners site use the NAT pool I setup.

Internal Subnet: 10.0.0.0/ 255.255.255.0
New NAT Pool: 10.185.209.0/ 255.255.255.0
Partner IP's: 172.45.190.64 / 255.255.255.254 (the internal IP addresses we are trying to reach)

Here's the bits of the config file that I think are relevant:

access-list compiled
access-list inside_outbound_nat0_acl permit ip any 172.16.31.0 255.255.255.0
access-list dmz_access_in permit icmp any any
access-list nonat permit ip 10.0.0.0 255.255.255.0 192.168.255.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.255.0 172.16.31.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.255.0 partner 255.255.255.254       <---------- Entry for new VPN
...
...
...
access-list kps-remotevpn_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
access-list kps-remotevpn_splitTunnelAcl permit ip 192.168.255.0 255.255.255.0 any
access-list dmz_outbound_nat0_acl permit ip 192.168.255.0 255.255.255.0 172.16.32.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 172.16.32.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.0.0.0 255.255.255.0 partner 255.255.255.254 <---------- Entry for new VPN
...
...
...
global (outside) 15 10.185.209.0-10.185.209.254 netmask 255.255.255.0       < --------------New NAT Pool
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list dmz_outbound_nat0_acl
nat (dmz) 0 access-list dmz_inbound_nat0_acl outside
nat (dmz) 10 0.0.0.0 0.0.0.0 0 0


Thanks in advance

Dave


0
Comment
Question by:davidjw
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10667513
0
 

Author Comment

by:davidjw
ID: 10667795
I'm a bit confused by the suggested doc, specifically:

!--- Static translation defined to translate Private_LAN1
!--- from 192.168.4.0/24 to 20.1.1.0/24
!--- Note that this translation will be used for both
!--- VPN and Internet traffic from Private_LAN1.
!--- So a routable global IP address range, or an extra NAT
!--- at the ISP router (in front of PIX), will be
!--- required if Private_LAN1 also needs internal access.

What does this mean in real terms? There is no configurable router in front of the PIX so am I able to setup the VPN but still route other traffic as normal?

Regards
Dave
0
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10668208
Natting a VPN connection is in general a bad idea.
If you would do that it should support UDP encapsulation and I doubt if it is due to that you do not get all information.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 79

Expert Comment

by:lrmoore
ID: 10668397
>all the subnets on my side (pix) are already being used on the partners side
Do you mean that 10.0.0.0/24 is being used somewhere else on the partner side?

>!--- So a routable global IP address range, or an extra NAT
>!--- at the ISP router (in front of PIX),

use something like a
global (outside) 10 interface
nat (inside) 10 20.1.1.0 255.255.255.0
 
The crypto map should take care of routing only the appropriate traffic through the VPN tunnel, and the rest will go out the normal nat process, and out to the world..


0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 2000 total points
ID: 10668647
Agreed.  I'm setting something up at the moment, which is like this but the other way round (the VPN Concentrator needs the NAT).
You need to setup the VPN access lists on the PIX to encrypt the NATted address, not the original address, so something like this:

access-list kps-remotevpn_splitTunnelAcl permit ip 10.185.209.0 255.255.255.0 any

in addition to:

global (outside) 15 10.185.209.0-10.185.209.254 netmask 255.255.255.0  
nat (inside) 10 0.0.0.0 0.0.0.0 0 0

...should do the trick !


0
 

Author Comment

by:davidjw
ID: 10686203
This may seem like a stupid question but do I also need to remove the NONAT access lists?

Dave
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10695381
NAT happens BEFORE encryption, so in your case, yes.
0
 
LVL 6

Expert Comment

by:Pascal666
ID: 10696993
Removing the statement "nat (inside) 0 access-list nonat" will tell your PIX to NAT all traffic.

-Pascal
0
 

Author Comment

by:davidjw
ID: 10730527
I've not been able to try this yet as other work has taken priority but I have done some more research and what I need is in the Cisco documentation:

Policy NAT
 Translates source and destination address pairs to different global statements, even if the source address is the same. For example, traffic from IP address A to server A can be translated to global address A, while traffic from IP address A to server B can be translated to global address B.
 
and from http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1113601:

The syntax for using global translations for the hosts shown in Figure 2-12 follows:

access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0 255.255.255.224
access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 255.255.255.224
nat (inside) 1 access-list NET1
global (outside) 1 209.165.202.129 255.255.255.255
nat (inside) 2 access-list NET2
global (outside) 2 209.165.202.130 255.255.255.255

Regards
Dave
 
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question