Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4608
  • Last Modified:

Cisco Pix natting VPN

I am really struggling to get my head around this so any help is really appreciated.
I am trying to setup a VPN between a Cisco PIX and a Cisco Concentrator, the problem is that all the subnets on my side (pix) are already being used on the partners side (concentrator). To get around this we thought of natting the connection. So we decided on a subnet and I added it to the nat pool and started creating the VPN using the PDM wizard but when it finishes a translation exemption rule is created for the new VPN.

What I can't figure out is how to make any traffic headed for the partners site use the NAT pool I setup.

Internal Subnet: 10.0.0.0/ 255.255.255.0
New NAT Pool: 10.185.209.0/ 255.255.255.0
Partner IP's: 172.45.190.64 / 255.255.255.254 (the internal IP addresses we are trying to reach)

Here's the bits of the config file that I think are relevant:

access-list compiled
access-list inside_outbound_nat0_acl permit ip any 172.16.31.0 255.255.255.0
access-list dmz_access_in permit icmp any any
access-list nonat permit ip 10.0.0.0 255.255.255.0 192.168.255.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.255.0 172.16.31.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.255.0 partner 255.255.255.254       <---------- Entry for new VPN
...
...
...
access-list kps-remotevpn_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
access-list kps-remotevpn_splitTunnelAcl permit ip 192.168.255.0 255.255.255.0 any
access-list dmz_outbound_nat0_acl permit ip 192.168.255.0 255.255.255.0 172.16.32.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 172.16.32.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.0.0.0 255.255.255.0 partner 255.255.255.254 <---------- Entry for new VPN
...
...
...
global (outside) 15 10.185.209.0-10.185.209.254 netmask 255.255.255.0       < --------------New NAT Pool
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list dmz_outbound_nat0_acl
nat (dmz) 0 access-list dmz_inbound_nat0_acl outside
nat (dmz) 10 0.0.0.0 0.0.0.0 0 0


Thanks in advance

Dave


0
davidjw
Asked:
davidjw
  • 3
  • 2
  • 2
  • +2
1 Solution
 
lrmooreCommented:
0
 
davidjwAuthor Commented:
I'm a bit confused by the suggested doc, specifically:

!--- Static translation defined to translate Private_LAN1
!--- from 192.168.4.0/24 to 20.1.1.0/24
!--- Note that this translation will be used for both
!--- VPN and Internet traffic from Private_LAN1.
!--- So a routable global IP address range, or an extra NAT
!--- at the ISP router (in front of PIX), will be
!--- required if Private_LAN1 also needs internal access.

What does this mean in real terms? There is no configurable router in front of the PIX so am I able to setup the VPN but still route other traffic as normal?

Regards
Dave
0
 
bloemkool1980Commented:
Natting a VPN connection is in general a bad idea.
If you would do that it should support UDP encapsulation and I doubt if it is due to that you do not get all information.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
lrmooreCommented:
>all the subnets on my side (pix) are already being used on the partners side
Do you mean that 10.0.0.0/24 is being used somewhere else on the partner side?

>!--- So a routable global IP address range, or an extra NAT
>!--- at the ISP router (in front of PIX),

use something like a
global (outside) 10 interface
nat (inside) 10 20.1.1.0 255.255.255.0
 
The crypto map should take care of routing only the appropriate traffic through the VPN tunnel, and the rest will go out the normal nat process, and out to the world..


0
 
Tim HolmanCommented:
Agreed.  I'm setting something up at the moment, which is like this but the other way round (the VPN Concentrator needs the NAT).
You need to setup the VPN access lists on the PIX to encrypt the NATted address, not the original address, so something like this:

access-list kps-remotevpn_splitTunnelAcl permit ip 10.185.209.0 255.255.255.0 any

in addition to:

global (outside) 15 10.185.209.0-10.185.209.254 netmask 255.255.255.0  
nat (inside) 10 0.0.0.0 0.0.0.0 0 0

...should do the trick !


0
 
davidjwAuthor Commented:
This may seem like a stupid question but do I also need to remove the NONAT access lists?

Dave
0
 
Tim HolmanCommented:
NAT happens BEFORE encryption, so in your case, yes.
0
 
Pascal666Commented:
Removing the statement "nat (inside) 0 access-list nonat" will tell your PIX to NAT all traffic.

-Pascal
0
 
davidjwAuthor Commented:
I've not been able to try this yet as other work has taken priority but I have done some more research and what I need is in the Cisco documentation:

Policy NAT
 Translates source and destination address pairs to different global statements, even if the source address is the same. For example, traffic from IP address A to server A can be translated to global address A, while traffic from IP address A to server B can be translated to global address B.
 
and from http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1113601:

The syntax for using global translations for the hosts shown in Figure 2-12 follows:

access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0 255.255.255.224
access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 255.255.255.224
nat (inside) 1 access-list NET1
global (outside) 1 209.165.202.129 255.255.255.255
nat (inside) 2 access-list NET2
global (outside) 2 209.165.202.130 255.255.255.255

Regards
Dave
 
0

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

  • 3
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now