Solved

PIX 506e Policy NAT - VPN - Routing Problem?

Posted on 2006-07-06
4
519 Views
Last Modified: 2013-11-16
Need to know if the following is possible:

We have a PIX 506e and need a VPN Tunnel to a remote site that has a Checkpoint FW. We are accessing the remote site who inturn routes us through a tunnel to another site's custom software.

                                         
PIX 506e -->  | Checkpoint --> Some FW | --> Remote Software
                            Remote Site                  
10.5.1.x -->              10.x.x.x                          159...
   policy NAT                Peer
   -->192.168.250.x    159...  

We did a Policy NAT on our PIX from a 10.5.1.x to 192.168.250.x. This is not a problem as we have encountered other situations where we have had to do Policy NATs for other clients where the internal networks were on the same subnet. Here's the problem, the peer network is a 159.135.12.x and the PIX won't allow us to enter an external IP address as the peer network  or as part of the policy NAT. When we try to enter the IP it says the IP is incorrect.

Is there a work around to use the external address space as the peer network? Note the remote site uses custom software with a dedicated connection with the 159.135.12.x.
0
Comment
Question by:aptnetworks
4 Comments
 
LVL 15

Accepted Solution

by:
Frabble earned 250 total points
ID: 17054896
Is it complaining because the remote network is configured as 159.135.12.0/24 and you have a peer address of 159.135.12.X? This will make sense because the external peer address cannot overlap with an internal network.

So, does the Checkpoint firewall destination NAT incoming to the 159.135.12.X to an internal address on another range?
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 250 total points
ID: 17056277
Can you post the sanitized config and also capture the error it gives ?

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:aptnetworks
ID: 17059968
no name 159.140.x.x remote
access-list outside_cryptomap_60 permit ip 192.168.234.0 255.255.255.0 remote 255.255.255.0
access-list inside_nat0_outbound permit ip 10.5.1.0 255.255.255.0 remote 255.255.255.0
static (inside,outside) remote remote netmask 255.255.255.0 0 0
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 set peer 199.x.x.x
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set pfs group2

crypto map outside_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp key xxxxxx address 199.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 60 authentication pre-share
isakmp policy 60 encryption 3des
isakmp policy 60 hash SHA
isakmp policy 60 group 2
isakmp policy 60 lifetime 86400

access-list access-listname permit ip 10.5.1.0 255.255.255.0 remote 255.255.224.0
static (inside,outside) 192.168.234.0 access-list access-listname 0 0

0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now