Solved

Cisco Pix natting VPN

Posted on 2004-03-24
9
4,583 Views
Last Modified: 2013-11-16
I am really struggling to get my head around this so any help is really appreciated.
I am trying to setup a VPN between a Cisco PIX and a Cisco Concentrator, the problem is that all the subnets on my side (pix) are already being used on the partners side (concentrator). To get around this we thought of natting the connection. So we decided on a subnet and I added it to the nat pool and started creating the VPN using the PDM wizard but when it finishes a translation exemption rule is created for the new VPN.

What I can't figure out is how to make any traffic headed for the partners site use the NAT pool I setup.

Internal Subnet: 10.0.0.0/ 255.255.255.0
New NAT Pool: 10.185.209.0/ 255.255.255.0
Partner IP's: 172.45.190.64 / 255.255.255.254 (the internal IP addresses we are trying to reach)

Here's the bits of the config file that I think are relevant:

access-list compiled
access-list inside_outbound_nat0_acl permit ip any 172.16.31.0 255.255.255.0
access-list dmz_access_in permit icmp any any
access-list nonat permit ip 10.0.0.0 255.255.255.0 192.168.255.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.255.0 172.16.31.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.255.0 partner 255.255.255.254       <---------- Entry for new VPN
...
...
...
access-list kps-remotevpn_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
access-list kps-remotevpn_splitTunnelAcl permit ip 192.168.255.0 255.255.255.0 any
access-list dmz_outbound_nat0_acl permit ip 192.168.255.0 255.255.255.0 172.16.32.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 172.16.32.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.0.0.0 255.255.255.0 partner 255.255.255.254 <---------- Entry for new VPN
...
...
...
global (outside) 15 10.185.209.0-10.185.209.254 netmask 255.255.255.0       < --------------New NAT Pool
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list dmz_outbound_nat0_acl
nat (dmz) 0 access-list dmz_inbound_nat0_acl outside
nat (dmz) 10 0.0.0.0 0.0.0.0 0 0


Thanks in advance

Dave


0
Comment
Question by:davidjw
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10667513
0
 

Author Comment

by:davidjw
ID: 10667795
I'm a bit confused by the suggested doc, specifically:

!--- Static translation defined to translate Private_LAN1
!--- from 192.168.4.0/24 to 20.1.1.0/24
!--- Note that this translation will be used for both
!--- VPN and Internet traffic from Private_LAN1.
!--- So a routable global IP address range, or an extra NAT
!--- at the ISP router (in front of PIX), will be
!--- required if Private_LAN1 also needs internal access.

What does this mean in real terms? There is no configurable router in front of the PIX so am I able to setup the VPN but still route other traffic as normal?

Regards
Dave
0
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10668208
Natting a VPN connection is in general a bad idea.
If you would do that it should support UDP encapsulation and I doubt if it is due to that you do not get all information.
0
Webinar May 25: Cloud Security Strategies for SMBs

Small and mid-sized businesses are a driving force behind cloud adoption, and it’s no wonder: cloud benefits are BIG.  But for all the convenience that moving to the cloud provides, where does security come into play?

 
LVL 79

Expert Comment

by:lrmoore
ID: 10668397
>all the subnets on my side (pix) are already being used on the partners side
Do you mean that 10.0.0.0/24 is being used somewhere else on the partner side?

>!--- So a routable global IP address range, or an extra NAT
>!--- at the ISP router (in front of PIX),

use something like a
global (outside) 10 interface
nat (inside) 10 20.1.1.0 255.255.255.0
 
The crypto map should take care of routing only the appropriate traffic through the VPN tunnel, and the rest will go out the normal nat process, and out to the world..


0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 10668647
Agreed.  I'm setting something up at the moment, which is like this but the other way round (the VPN Concentrator needs the NAT).
You need to setup the VPN access lists on the PIX to encrypt the NATted address, not the original address, so something like this:

access-list kps-remotevpn_splitTunnelAcl permit ip 10.185.209.0 255.255.255.0 any

in addition to:

global (outside) 15 10.185.209.0-10.185.209.254 netmask 255.255.255.0  
nat (inside) 10 0.0.0.0 0.0.0.0 0 0

...should do the trick !


0
 

Author Comment

by:davidjw
ID: 10686203
This may seem like a stupid question but do I also need to remove the NONAT access lists?

Dave
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10695381
NAT happens BEFORE encryption, so in your case, yes.
0
 
LVL 6

Expert Comment

by:Pascal666
ID: 10696993
Removing the statement "nat (inside) 0 access-list nonat" will tell your PIX to NAT all traffic.

-Pascal
0
 

Author Comment

by:davidjw
ID: 10730527
I've not been able to try this yet as other work has taken priority but I have done some more research and what I need is in the Cisco documentation:

Policy NAT
 Translates source and destination address pairs to different global statements, even if the source address is the same. For example, traffic from IP address A to server A can be translated to global address A, while traffic from IP address A to server B can be translated to global address B.
 
and from http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1113601:

The syntax for using global translations for the hosts shown in Figure 2-12 follows:

access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0 255.255.255.224
access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 255.255.255.224
nat (inside) 1 access-list NET1
global (outside) 1 209.165.202.129 255.255.255.255
nat (inside) 2 access-list NET2
global (outside) 2 209.165.202.130 255.255.255.255

Regards
Dave
 
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question