Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 545
  • Last Modified:

PIX 506e Policy NAT - VPN - Routing Problem?

Need to know if the following is possible:

We have a PIX 506e and need a VPN Tunnel to a remote site that has a Checkpoint FW. We are accessing the remote site who inturn routes us through a tunnel to another site's custom software.

                                         
PIX 506e -->  | Checkpoint --> Some FW | --> Remote Software
                            Remote Site                  
10.5.1.x -->              10.x.x.x                          159...
   policy NAT                Peer
   -->192.168.250.x    159...  

We did a Policy NAT on our PIX from a 10.5.1.x to 192.168.250.x. This is not a problem as we have encountered other situations where we have had to do Policy NATs for other clients where the internal networks were on the same subnet. Here's the problem, the peer network is a 159.135.12.x and the PIX won't allow us to enter an external IP address as the peer network  or as part of the policy NAT. When we try to enter the IP it says the IP is incorrect.

Is there a work around to use the external address space as the peer network? Note the remote site uses custom software with a dedicated connection with the 159.135.12.x.
0
aptnetworks
Asked:
aptnetworks
2 Solutions
 
FrabbleCommented:
Is it complaining because the remote network is configured as 159.135.12.0/24 and you have a peer address of 159.135.12.X? This will make sense because the external peer address cannot overlap with an internal network.

So, does the Checkpoint firewall destination NAT incoming to the 159.135.12.X to an internal address on another range?
0
 
rsivanandanCommented:
Can you post the sanitized config and also capture the error it gives ?

Cheers,
Rajesh
0
 
aptnetworksAuthor Commented:
no name 159.140.x.x remote
access-list outside_cryptomap_60 permit ip 192.168.234.0 255.255.255.0 remote 255.255.255.0
access-list inside_nat0_outbound permit ip 10.5.1.0 255.255.255.0 remote 255.255.255.0
static (inside,outside) remote remote netmask 255.255.255.0 0 0
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 set peer 199.x.x.x
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set pfs group2

crypto map outside_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp key xxxxxx address 199.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 60 authentication pre-share
isakmp policy 60 encryption 3des
isakmp policy 60 hash SHA
isakmp policy 60 group 2
isakmp policy 60 lifetime 86400

access-list access-listname permit ip 10.5.1.0 255.255.255.0 remote 255.255.224.0
static (inside,outside) 192.168.234.0 access-list access-listname 0 0

0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now