Solved

Cisco Pix natting VPN

Posted on 2004-03-24
9
4,528 Views
Last Modified: 2013-11-16
I am really struggling to get my head around this so any help is really appreciated.
I am trying to setup a VPN between a Cisco PIX and a Cisco Concentrator, the problem is that all the subnets on my side (pix) are already being used on the partners side (concentrator). To get around this we thought of natting the connection. So we decided on a subnet and I added it to the nat pool and started creating the VPN using the PDM wizard but when it finishes a translation exemption rule is created for the new VPN.

What I can't figure out is how to make any traffic headed for the partners site use the NAT pool I setup.

Internal Subnet: 10.0.0.0/ 255.255.255.0
New NAT Pool: 10.185.209.0/ 255.255.255.0
Partner IP's: 172.45.190.64 / 255.255.255.254 (the internal IP addresses we are trying to reach)

Here's the bits of the config file that I think are relevant:

access-list compiled
access-list inside_outbound_nat0_acl permit ip any 172.16.31.0 255.255.255.0
access-list dmz_access_in permit icmp any any
access-list nonat permit ip 10.0.0.0 255.255.255.0 192.168.255.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.255.0 172.16.31.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.255.0 partner 255.255.255.254       <---------- Entry for new VPN
...
...
...
access-list kps-remotevpn_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
access-list kps-remotevpn_splitTunnelAcl permit ip 192.168.255.0 255.255.255.0 any
access-list dmz_outbound_nat0_acl permit ip 192.168.255.0 255.255.255.0 172.16.32.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 172.16.32.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.0.0.0 255.255.255.0 partner 255.255.255.254 <---------- Entry for new VPN
...
...
...
global (outside) 15 10.185.209.0-10.185.209.254 netmask 255.255.255.0       < --------------New NAT Pool
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list dmz_outbound_nat0_acl
nat (dmz) 0 access-list dmz_inbound_nat0_acl outside
nat (dmz) 10 0.0.0.0 0.0.0.0 0 0


Thanks in advance

Dave


0
Comment
Question by:davidjw
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10667513
0
 

Author Comment

by:davidjw
ID: 10667795
I'm a bit confused by the suggested doc, specifically:

!--- Static translation defined to translate Private_LAN1
!--- from 192.168.4.0/24 to 20.1.1.0/24
!--- Note that this translation will be used for both
!--- VPN and Internet traffic from Private_LAN1.
!--- So a routable global IP address range, or an extra NAT
!--- at the ISP router (in front of PIX), will be
!--- required if Private_LAN1 also needs internal access.

What does this mean in real terms? There is no configurable router in front of the PIX so am I able to setup the VPN but still route other traffic as normal?

Regards
Dave
0
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10668208
Natting a VPN connection is in general a bad idea.
If you would do that it should support UDP encapsulation and I doubt if it is due to that you do not get all information.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10668397
>all the subnets on my side (pix) are already being used on the partners side
Do you mean that 10.0.0.0/24 is being used somewhere else on the partner side?

>!--- So a routable global IP address range, or an extra NAT
>!--- at the ISP router (in front of PIX),

use something like a
global (outside) 10 interface
nat (inside) 10 20.1.1.0 255.255.255.0
 
The crypto map should take care of routing only the appropriate traffic through the VPN tunnel, and the rest will go out the normal nat process, and out to the world..


0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 10668647
Agreed.  I'm setting something up at the moment, which is like this but the other way round (the VPN Concentrator needs the NAT).
You need to setup the VPN access lists on the PIX to encrypt the NATted address, not the original address, so something like this:

access-list kps-remotevpn_splitTunnelAcl permit ip 10.185.209.0 255.255.255.0 any

in addition to:

global (outside) 15 10.185.209.0-10.185.209.254 netmask 255.255.255.0  
nat (inside) 10 0.0.0.0 0.0.0.0 0 0

...should do the trick !


0
 

Author Comment

by:davidjw
ID: 10686203
This may seem like a stupid question but do I also need to remove the NONAT access lists?

Dave
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10695381
NAT happens BEFORE encryption, so in your case, yes.
0
 
LVL 6

Expert Comment

by:Pascal666
ID: 10696993
Removing the statement "nat (inside) 0 access-list nonat" will tell your PIX to NAT all traffic.

-Pascal
0
 

Author Comment

by:davidjw
ID: 10730527
I've not been able to try this yet as other work has taken priority but I have done some more research and what I need is in the Cisco documentation:

Policy NAT
 Translates source and destination address pairs to different global statements, even if the source address is the same. For example, traffic from IP address A to server A can be translated to global address A, while traffic from IP address A to server B can be translated to global address B.
 
and from http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1113601:

The syntax for using global translations for the hosts shown in Figure 2-12 follows:

access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0 255.255.255.224
access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 255.255.255.224
nat (inside) 1 access-list NET1
global (outside) 1 209.165.202.129 255.255.255.255
nat (inside) 2 access-list NET2
global (outside) 2 209.165.202.130 255.255.255.255

Regards
Dave
 
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now