Solved

PIX 506e Policy NAT - VPN - Routing Problem?

Posted on 2006-07-06
4
517 Views
Last Modified: 2013-11-16
Need to know if the following is possible:

We have a PIX 506e and need a VPN Tunnel to a remote site that has a Checkpoint FW. We are accessing the remote site who inturn routes us through a tunnel to another site's custom software.

                                         
PIX 506e -->  | Checkpoint --> Some FW | --> Remote Software
                            Remote Site                  
10.5.1.x -->              10.x.x.x                          159...
   policy NAT                Peer
   -->192.168.250.x    159...  

We did a Policy NAT on our PIX from a 10.5.1.x to 192.168.250.x. This is not a problem as we have encountered other situations where we have had to do Policy NATs for other clients where the internal networks were on the same subnet. Here's the problem, the peer network is a 159.135.12.x and the PIX won't allow us to enter an external IP address as the peer network  or as part of the policy NAT. When we try to enter the IP it says the IP is incorrect.

Is there a work around to use the external address space as the peer network? Note the remote site uses custom software with a dedicated connection with the 159.135.12.x.
0
Comment
Question by:aptnetworks
4 Comments
 
LVL 15

Accepted Solution

by:
Frabble earned 250 total points
ID: 17054896
Is it complaining because the remote network is configured as 159.135.12.0/24 and you have a peer address of 159.135.12.X? This will make sense because the external peer address cannot overlap with an internal network.

So, does the Checkpoint firewall destination NAT incoming to the 159.135.12.X to an internal address on another range?
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 250 total points
ID: 17056277
Can you post the sanitized config and also capture the error it gives ?

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:aptnetworks
ID: 17059968
no name 159.140.x.x remote
access-list outside_cryptomap_60 permit ip 192.168.234.0 255.255.255.0 remote 255.255.255.0
access-list inside_nat0_outbound permit ip 10.5.1.0 255.255.255.0 remote 255.255.255.0
static (inside,outside) remote remote netmask 255.255.255.0 0 0
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 set peer 199.x.x.x
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set pfs group2

crypto map outside_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp key xxxxxx address 199.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 60 authentication pre-share
isakmp policy 60 encryption 3des
isakmp policy 60 hash SHA
isakmp policy 60 group 2
isakmp policy 60 lifetime 86400

access-list access-listname permit ip 10.5.1.0 255.255.255.0 remote 255.255.224.0
static (inside,outside) 192.168.234.0 access-list access-listname 0 0

0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now