Solved

PIX 506e Policy NAT - VPN - Routing Problem?

Posted on 2006-07-06
4
532 Views
Last Modified: 2013-11-16
Need to know if the following is possible:

We have a PIX 506e and need a VPN Tunnel to a remote site that has a Checkpoint FW. We are accessing the remote site who inturn routes us through a tunnel to another site's custom software.

                                         
PIX 506e -->  | Checkpoint --> Some FW | --> Remote Software
                            Remote Site                  
10.5.1.x -->              10.x.x.x                          159...
   policy NAT                Peer
   -->192.168.250.x    159...  

We did a Policy NAT on our PIX from a 10.5.1.x to 192.168.250.x. This is not a problem as we have encountered other situations where we have had to do Policy NATs for other clients where the internal networks were on the same subnet. Here's the problem, the peer network is a 159.135.12.x and the PIX won't allow us to enter an external IP address as the peer network  or as part of the policy NAT. When we try to enter the IP it says the IP is incorrect.

Is there a work around to use the external address space as the peer network? Note the remote site uses custom software with a dedicated connection with the 159.135.12.x.
0
Comment
Question by:aptnetworks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 15

Accepted Solution

by:
Frabble earned 250 total points
ID: 17054896
Is it complaining because the remote network is configured as 159.135.12.0/24 and you have a peer address of 159.135.12.X? This will make sense because the external peer address cannot overlap with an internal network.

So, does the Checkpoint firewall destination NAT incoming to the 159.135.12.X to an internal address on another range?
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 250 total points
ID: 17056277
Can you post the sanitized config and also capture the error it gives ?

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:aptnetworks
ID: 17059968
no name 159.140.x.x remote
access-list outside_cryptomap_60 permit ip 192.168.234.0 255.255.255.0 remote 255.255.255.0
access-list inside_nat0_outbound permit ip 10.5.1.0 255.255.255.0 remote 255.255.255.0
static (inside,outside) remote remote netmask 255.255.255.0 0 0
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 set peer 199.x.x.x
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set pfs group2

crypto map outside_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp key xxxxxx address 199.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 60 authentication pre-share
isakmp policy 60 encryption 3des
isakmp policy 60 hash SHA
isakmp policy 60 group 2
isakmp policy 60 lifetime 86400

access-list access-listname permit ip 10.5.1.0 255.255.255.0 remote 255.255.224.0
static (inside,outside) 192.168.234.0 access-list access-listname 0 0

0

Featured Post

Everything You Need to Know about Petya 2.0

Get an overview of the what, when and how of Petya 2.0  from our threat analyst Marc Labilerte, as well as a look at how WatchGuard Total Security Suite protected our customers from the recent attack!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question