Solved

pix vpn inbound traffic

Posted on 2006-11-26
13
550 Views
Last Modified: 2013-11-16
hi all,

vpn tunnel comes up and we can access our partner lan server behind the firewall , but when they try only the vpn tunnel comes up, and he cannot access our side server, do i need to allow his through acl or something, he is just doing telnet.

access-list PARTNER_VPN permit ip 1.1.1.0 255.255.255.0 172.0.0.0 255.252.0.0
access-list PARTNER_VPN permit ip 172.0.0.0 255.252.0.0 1.1.1.0 255.255.255.0
access-list PARTNER_VPN permit ip 172.16.0.0 255.252.0.0 1.1.1.0 255.255.255.0
access-list PARTNER_VPN permit ip 1.1.1.0 255.255.255.0 172.16.0.0 255.252.0.0
access-list PARTNER_NAT permit ip host 172.20.4.205 host 172.13.18.25
access-list PARTNER_NAT permit ip host 172.20.4.205 host 172.7.16.5
global (outside) 20 1.1.1.1
nat (inside) 20 access-list PARTNER_NAT 0 0
0
Comment
Question by:lomaree
  • 7
  • 6
13 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 18014112
When you're doing conditional nat like you are, you have no problem accessing the other side because the conditional nat is applied to traffic going out of your PIX, not comming in. There is no static nat xlate to port forward telnet ports to your internal host. You would have to try something like this:
 static (inside,outside) tcp 1.1.1.1 telnet 172.20.4.205 telnet netmask 255.255.255.255

This should allow the other end to telnet to 1.1.1.1 which gets forwarded to 172.20.4.205
You could also allow it in an explicit inbound acl (lock it down to specific source IP's/networks)
  access-list outside_access_in permit tcp any host 1.1.1.1 eq telnet

0
 
LVL 1

Author Comment

by:lomaree
ID: 18014144
if i do static i get this error

WARNING: static overlaps with global (outside) 20 1.1.1.1
0
 
LVL 1

Author Comment

by:lomaree
ID: 18014166
no see 1.1.1.1 is the natted ip. internal host has different ip and they are access from there internet lan , therefore my static should be like e.g

static (inside,outside) 10.10.10.2 173.20.20.20 netmask 255.255.255.255

10.10.10.2 = natted
173.20.20.20 = there LAN.
0
 
LVL 1

Author Comment

by:lomaree
ID: 18014314
alright this is how it looks like

1. we have a VPN tunnel up and running.
2. we can access them on specific ports behind there firewall, also our internal lan ip gets translated to a different ip address.
3. when they try to access our server behind our firewall they can't, but i see traffic in tunnel.

like posted above is the access-list of our vpn tunnel. please help me out here.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18014493
Given what you've posted, you can still use a port xlate static. I've tried it and it works.
Don't forget the "tcp" and "telnet" keywords

 global (outside) 20 1.1.1.1
 static (inside,outside) tcp 1.1.1.1 telnet 172.20.4.205 telnet netmask 255.255.255.255
                                ^^             ^^

You access their side through a natted IP address - 1.1.1.1
All they see from your side is 1.1.1.1
They cannot directly access your private IP host 172.20.4.205 because there is no static nat xlate
What I've posted above will allow their LAN (173.20.20.0 ?) to access your server via the natted 1.1.1.1

0
 
LVL 1

Author Comment

by:lomaree
ID: 18014647
thanks lrmoore,

i will try this the first thing tomorrow. between let me further explain you what actually suppose to happen.

diagram:

20.20.20.1       20.20.20.100     20.20.20.200 (inside)                                    200.200.200.20               10.10.10.1                
Our Host---------Router--------------Cisco PIX--------------Internet-----------------Checkpoint FW---------------Host
1.1.1.1(natted)                                   '  100.100.100.20(outside)                              '
                                                        '--------------------VPN Tunnel- -------------------'
                                                                                                               

at first we faced a lot of problem in PIX and Checkpoint in establishing VPN Tunnel, but eventually it was done. now as shown in the diagram we were only suppose to connect to there internal host on specific port but later it was put forward that not only we will connect to them but there internal host will also connect to our internal host.

but now we had already confirgured on pix to nat our internal host ip to 1.1.1.1 (configure was posted in the first post),to access their server; which was successful. but now since they also have to access to our internal host therefore we have to define in pix configuration that host 10.10.10.1 will access to destination 1.1.1.1 through our pix and it will (i dont know translate 1:1 or natted inside) to provide access to 20.20.20.1.

so as what you are explaining i hope it would work out. i will update. any confusions please do ask would really apperciate your help.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 18014681
It should be as simple as creating the static xlate. I will assume that you have "sysopt connection permit-ipsec" included in your configuration. This command negates any requirement to allow traffic defined in your IPSEC crypto maps to be controlled by access-lists applied to the outside interface. You have the option to use the sysopt command or to create an access-list.
static (inside,outside) tcp 1.1.1.1 telnet 20.20.20.1 telnet netmask 255.255.255.255
access-list outside_access_in permit tcp host 10.10.10.1 host 1.1.1.1 eq telnet
0
 
LVL 1

Author Comment

by:lomaree
ID: 18014787
hi lrmoore,

i have "sysopt connection permit-ipsec" in my configuration. so i believe as what i have understood that i will only do the static and it will solve me problem right. also one more point i would like to need help with that if i want to add more host later from the other side to access our side i would just need to create static for them right.  

thanks in advance
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18014942
Yes, as long as you have the sysopt entry, you should not need access-list entries in the acl applied to the interface.

You only need a static each host on your side. Since you are natting to a single IP address, you can only do individual port forwarding in the statics. You cannot forward the same port to more than one inside host. For example:
 
These are all OK
static (inside,outside) tcp 1.1.1.1 telnet 20.20.20.1 telnet netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.1 www 20.20.20.21 www netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.1 https 20.20.20.13 https netmask 255.255.255.255

What you cannot do:
static (inside,outside) tcp 1.1.1.1 telnet 20.20.20.1 telnet netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.1 telnet 20.20.20.23 telnet netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.1 telnet 20.20.20.44 telnet netmask 255.255.255.255
 
0
 
LVL 1

Author Comment

by:lomaree
ID: 18015043
alright! great i got it, but if in future i do plan natting to more IP addresses by defining like below, then i can do what "i cannot do" at the moment

access-list partner_host1 permit ip host 1.1.1.1 host 20.20.20.1
access-list partner_host2 permit ip host 1.1.1.2 host 20.20.20.23
global (outside) 20 1.1.1.1
global (outside) 30 1.1.1.2
nat (inside) 20 access-list partner_host1
nat (inside) 30 access-list partner_host2

static (inside,outside) tcp 1.1.1.1 telnet 20.20.20.1 telnet netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.2 ssh 20.20.20.23 ssh netmask 255.255.255.255

hope i am on the right track.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18015215
I think you're getting the hang of this!
Just be sure that the other end adds the new natted host IP to the VPN tunnel allow list.
0
 
LVL 1

Author Comment

by:lomaree
ID: 18018699
hi lrmoore,

thanks alot for the great help man, tell me can i do this.

static (inside,outside) tcp 1.1.1.1 telnet 20.20.20.1 telnet netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.1 ssh 20.20.20.1 ssh netmask 255.255.255.255
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18018721
Yes, no problem
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now