Link to home
Start Free TrialLog in
Avatar of huwa
huwa

asked on

nat...static ???? PIX 501 515e

First off sorry for so little points but i am ut of them have to wait till next pay day.

OK i have the following problem.

I have a pix501 at home which is connected to annother pix 515e over a tunnel preshared key. All works fine and i can conect to the inside lan of the 515e no problem.
inside 501 to inside 515 works :-)
But i would like to be able to do the following
inside 501 to 515 bnit
when i try to connect to "bnit" from inside of 501 it wont happen. I see on the syslogs that it tries to go out on the "outside" interface of the 501. I imagine it should be routing through the inside face of the 501. so either static is missing, or a nonat.

this is part of my 501 conf,
name 192.168.10.0 lan-munich
name 192.168.1.0 lan-hugh
name 10.50.51.0 bnit

access-list nonat permit ip lan-hugh 255.255.255.0 lan-munich 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0

which is natting my lan to the to the inside of the 515, i have tried the following, with no luck still tries to go over outside interface of 501. I didnt post all conf here as am not sure if need it all, i am pretty sure it is a nat problem, but i am no expert so please tell me if i am wrong, i would imagine i will need a static when the nat problem is solved ? at the moment i have no statics in my conf.
access-list nonat permit ip lan-hugh 255.255.255.0 bnit 255.255.255.0

On the 515e there are 5 interfaces
intf1 "outside"  82.135.xxx.xxx
intf2 "inside"   192.168.10.0
intf3 "a-lan"    192.168.9.0
intf4 "b-lan"    192.168.9.0
intf5 "bnit"    10.10.51.0

On the 501 there are 2 interfaces
intf1 "outside"  217.8.xxx.xxx
intf2 "inside"   192.168.1.0

Any help would be greatly appreciated.
Hugh
Avatar of Cyclops3590
Cyclops3590
Flag of United States of America image

can you post all of the access-lists associated with your nonat and crypto match address for this tunnel.
it looks to me like you are not including all of the combinations
on 501
inside lan  to inside 515
                 to a-lan
                 to b-lan
                 to bnit

and vice versa on the 515
Avatar of huwa
huwa

ASKER



PIX 501

access-list nonat permit ip lan-hugh 255.255.255.0 lan-munich 255.255.255.0
access-list munich_vpn permit ip lan-hugh 255.255.255.0 lan-munich 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map BavarianNordicVPN 26 ipsec-isakmp
crypto map BavarianNordicVPN 26 match address munich_vpn
crypto map BavarianNordicVPN 26 set peer 82.135.xx.xxx
crypto map BavarianNordicVPN 26 set transform-set myset
crypto map BavarianNordicVPN interface outside
isakmp enable outside
isakmp key ******** address 82.135.xx.xxx netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 14400

Avatar of huwa

ASKER

As I said, its the 501 that trying to go outbound when i try to connect to the "bnit" lan

515
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-des esp-md5-hmac
crypto ipsec transform-set verystrong esp-3des esp-sha-hmac
crypto ipsec transform-set sota esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 40 set transform-set strong
crypto map BavarianNordicVPN 20 ipsec-isakmp
crypto map BavarianNordicVPN 20 match address vpnberlin
crypto map BavarianNordicVPN 20 set peer 141.80.xxx.xxx
crypto map BavarianNordicVPN 20 set transform-set verystrong
crypto map BavarianNordicVPN 20 set security-association lifetime seconds 120 kilobytes 4608000
crypto map BavarianNordicVPN 25 ipsec-isakmp
crypto map BavarianNordicVPN 25 match address vpnkvistgaard
crypto map BavarianNordicVPN 25 set peer 129.142.xxx.xxx
crypto map BavarianNordicVPN 25 set transform-set sota
crypto map BavarianNordicVPN 25 set security-association lifetime seconds 120 kilobytes 4608000
crypto map BavarianNordicVPN 26 ipsec-isakmp
crypto map BavarianNordicVPN 26 match address vpnhugh
crypto map BavarianNordicVPN 26 set peer 217.91.xxx.xxx --------my tunnel
crypto map BavarianNordicVPN 26 set transform-set strong
crypto map BavarianNordicVPN interface outside
isakmp enable outside
isakmp key ******** address 129.142.xxx.xxx netmask 255.255.255.255
isakmp key ******** address 129.142.xxx.xxx netmask 255.255.255.255
isakmp key ******** address 141.80.xxx.xxx netmask 255.255.255.255
isakmp key ******** address 217.91.xx.xx netmask 255.255.255.255  -------my tunnel
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 14400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 14400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 7200
telnet timeout 15
access-list vpnhugh permit ip lan-munich 255.255.255.0 lan-hugh 255.255.255.0
access-list nonat permit ip lan-munich 255.255.255.0 lan-hugh 255.255.255.0
nat (inside) 0 access-list nonat
okay, when you specify the match address on the vpn on the 501, this is considered the "interesting" traffic.  so just add to that acl as well as the nonat the the lanhugh to bnit
right now when you try to go to bnit the source destination combination doesn't trigger the crypto map and thus is routed out the outside interface to the next hop unencrypted.

do a capture on the outside interface you should see packets with a source of your outside interface (i believe) and a destination of the bnit lan.

understand?
ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of huwa

ASKER

Thanks will try this when I get home tonight, i was adding the acl statment, but not adding the nonat statment as I thought nonat to lan_munich doen this but obviously this was just for the lan_munich, learning by doing can be frustrating, thank god for sites like this.

Thanks again
Hugh