Solved

PIX 506e Policy NAT - VPN - Routing Problem?

Posted on 2006-07-06
4
525 Views
Last Modified: 2013-11-16
Need to know if the following is possible:

We have a PIX 506e and need a VPN Tunnel to a remote site that has a Checkpoint FW. We are accessing the remote site who inturn routes us through a tunnel to another site's custom software.

                                         
PIX 506e -->  | Checkpoint --> Some FW | --> Remote Software
                            Remote Site                  
10.5.1.x -->              10.x.x.x                          159...
   policy NAT                Peer
   -->192.168.250.x    159...  

We did a Policy NAT on our PIX from a 10.5.1.x to 192.168.250.x. This is not a problem as we have encountered other situations where we have had to do Policy NATs for other clients where the internal networks were on the same subnet. Here's the problem, the peer network is a 159.135.12.x and the PIX won't allow us to enter an external IP address as the peer network  or as part of the policy NAT. When we try to enter the IP it says the IP is incorrect.

Is there a work around to use the external address space as the peer network? Note the remote site uses custom software with a dedicated connection with the 159.135.12.x.
0
Comment
Question by:aptnetworks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 15

Accepted Solution

by:
Frabble earned 250 total points
ID: 17054896
Is it complaining because the remote network is configured as 159.135.12.0/24 and you have a peer address of 159.135.12.X? This will make sense because the external peer address cannot overlap with an internal network.

So, does the Checkpoint firewall destination NAT incoming to the 159.135.12.X to an internal address on another range?
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 250 total points
ID: 17056277
Can you post the sanitized config and also capture the error it gives ?

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:aptnetworks
ID: 17059968
no name 159.140.x.x remote
access-list outside_cryptomap_60 permit ip 192.168.234.0 255.255.255.0 remote 255.255.255.0
access-list inside_nat0_outbound permit ip 10.5.1.0 255.255.255.0 remote 255.255.255.0
static (inside,outside) remote remote netmask 255.255.255.0 0 0
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 set peer 199.x.x.x
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set pfs group2

crypto map outside_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp key xxxxxx address 199.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 60 authentication pre-share
isakmp policy 60 encryption 3des
isakmp policy 60 hash SHA
isakmp policy 60 group 2
isakmp policy 60 lifetime 86400

access-list access-listname permit ip 10.5.1.0 255.255.255.0 remote 255.255.224.0
static (inside,outside) 192.168.234.0 access-list access-listname 0 0

0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question