davidjw
asked on
Cisco Pix natting VPN
I am really struggling to get my head around this so any help is really appreciated.
I am trying to setup a VPN between a Cisco PIX and a Cisco Concentrator, the problem is that all the subnets on my side (pix) are already being used on the partners side (concentrator). To get around this we thought of natting the connection. So we decided on a subnet and I added it to the nat pool and started creating the VPN using the PDM wizard but when it finishes a translation exemption rule is created for the new VPN.
What I can't figure out is how to make any traffic headed for the partners site use the NAT pool I setup.
Internal Subnet: 10.0.0.0/ 255.255.255.0
New NAT Pool: 10.185.209.0/ 255.255.255.0
Partner IP's: 172.45.190.64 / 255.255.255.254 (the internal IP addresses we are trying to reach)
Here's the bits of the config file that I think are relevant:
access-list compiled
access-list inside_outbound_nat0_acl permit ip any 172.16.31.0 255.255.255.0
access-list dmz_access_in permit icmp any any
access-list nonat permit ip 10.0.0.0 255.255.255.0 192.168.255.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.255.0 172.16.31.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.255.0 partner 255.255.255.254 <---------- Entry for new VPN
...
...
...
access-list kps-remotevpn_splitTunnelA
access-list kps-remotevpn_splitTunnelA
access-list dmz_outbound_nat0_acl permit ip 192.168.255.0 255.255.255.0 172.16.32.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 172.16.32.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.0.0.0 255.255.255.0 partner 255.255.255.254 <---------- Entry for new VPN
...
...
...
global (outside) 15 10.185.209.0-10.185.209.25
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list dmz_outbound_nat0_acl
nat (dmz) 0 access-list dmz_inbound_nat0_acl outside
nat (dmz) 10 0.0.0.0 0.0.0.0 0 0
Thanks in advance
Dave
I am trying to setup a VPN between a Cisco PIX and a Cisco Concentrator, the problem is that all the subnets on my side (pix) are already being used on the partners side (concentrator). To get around this we thought of natting the connection. So we decided on a subnet and I added it to the nat pool and started creating the VPN using the PDM wizard but when it finishes a translation exemption rule is created for the new VPN.
What I can't figure out is how to make any traffic headed for the partners site use the NAT pool I setup.
Internal Subnet: 10.0.0.0/ 255.255.255.0
New NAT Pool: 10.185.209.0/ 255.255.255.0
Partner IP's: 172.45.190.64 / 255.255.255.254 (the internal IP addresses we are trying to reach)
Here's the bits of the config file that I think are relevant:
access-list compiled
access-list inside_outbound_nat0_acl permit ip any 172.16.31.0 255.255.255.0
access-list dmz_access_in permit icmp any any
access-list nonat permit ip 10.0.0.0 255.255.255.0 192.168.255.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.255.0 172.16.31.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.255.0 partner 255.255.255.254 <---------- Entry for new VPN
...
...
...
access-list kps-remotevpn_splitTunnelA
access-list kps-remotevpn_splitTunnelA
access-list dmz_outbound_nat0_acl permit ip 192.168.255.0 255.255.255.0 172.16.32.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 172.16.32.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.0.0.0 255.255.255.0 partner 255.255.255.254 <---------- Entry for new VPN
...
...
...
global (outside) 15 10.185.209.0-10.185.209.25
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list dmz_outbound_nat0_acl
nat (dmz) 0 access-list dmz_inbound_nat0_acl outside
nat (dmz) 10 0.0.0.0 0.0.0.0 0 0
Thanks in advance
Dave
ASKER
I'm a bit confused by the suggested doc, specifically:
!--- Static translation defined to translate Private_LAN1
!--- from 192.168.4.0/24 to 20.1.1.0/24
!--- Note that this translation will be used for both
!--- VPN and Internet traffic from Private_LAN1.
!--- So a routable global IP address range, or an extra NAT
!--- at the ISP router (in front of PIX), will be
!--- required if Private_LAN1 also needs internal access.
What does this mean in real terms? There is no configurable router in front of the PIX so am I able to setup the VPN but still route other traffic as normal?
Regards
Dave
!--- Static translation defined to translate Private_LAN1
!--- from 192.168.4.0/24 to 20.1.1.0/24
!--- Note that this translation will be used for both
!--- VPN and Internet traffic from Private_LAN1.
!--- So a routable global IP address range, or an extra NAT
!--- at the ISP router (in front of PIX), will be
!--- required if Private_LAN1 also needs internal access.
What does this mean in real terms? There is no configurable router in front of the PIX so am I able to setup the VPN but still route other traffic as normal?
Regards
Dave
Natting a VPN connection is in general a bad idea.
If you would do that it should support UDP encapsulation and I doubt if it is due to that you do not get all information.
If you would do that it should support UDP encapsulation and I doubt if it is due to that you do not get all information.
>all the subnets on my side (pix) are already being used on the partners side
Do you mean that 10.0.0.0/24 is being used somewhere else on the partner side?
>!--- So a routable global IP address range, or an extra NAT
>!--- at the ISP router (in front of PIX),
use something like a
global (outside) 10 interface
nat (inside) 10 20.1.1.0 255.255.255.0
The crypto map should take care of routing only the appropriate traffic through the VPN tunnel, and the rest will go out the normal nat process, and out to the world..
Do you mean that 10.0.0.0/24 is being used somewhere else on the partner side?
>!--- So a routable global IP address range, or an extra NAT
>!--- at the ISP router (in front of PIX),
use something like a
global (outside) 10 interface
nat (inside) 10 20.1.1.0 255.255.255.0
The crypto map should take care of routing only the appropriate traffic through the VPN tunnel, and the rest will go out the normal nat process, and out to the world..
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This may seem like a stupid question but do I also need to remove the NONAT access lists?
Dave
Dave
NAT happens BEFORE encryption, so in your case, yes.
Removing the statement "nat (inside) 0 access-list nonat" will tell your PIX to NAT all traffic.
-Pascal
-Pascal
ASKER
I've not been able to try this yet as other work has taken priority but I have done some more research and what I need is in the Cisco documentation:
Policy NAT
Translates source and destination address pairs to different global statements, even if the source address is the same. For example, traffic from IP address A to server A can be translated to global address A, while traffic from IP address A to server B can be translated to global address B.
and from http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1113601:
The syntax for using global translations for the hosts shown in Figure 2-12 follows:
access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0 255.255.255.224
access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 255.255.255.224
nat (inside) 1 access-list NET1
global (outside) 1 209.165.202.129 255.255.255.255
nat (inside) 2 access-list NET2
global (outside) 2 209.165.202.130 255.255.255.255
Regards
Dave
Policy NAT
Translates source and destination address pairs to different global statements, even if the source address is the same. For example, traffic from IP address A to server A can be translated to global address A, while traffic from IP address A to server B can be translated to global address B.
and from http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1113601:
The syntax for using global translations for the hosts shown in Figure 2-12 follows:
access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0 255.255.255.224
access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 255.255.255.224
nat (inside) 1 access-list NET1
global (outside) 1 209.165.202.129 255.255.255.255
nat (inside) 2 access-list NET2
global (outside) 2 209.165.202.130 255.255.255.255
Regards
Dave
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml