Solved

Site to Site VPN tunnel - NOT using private IPs in ACL & mapping internal subnet to Public IP

Posted on 2008-10-16
2
421 Views
Last Modified: 2010-05-18
Hopefully the topic says most of it...  I've done this a million times w/ site to site & ACL/Nonats for subnet A to B, but never this way.

Basically situation is this - Have a network behind Pix 506 connecting to VPN 3000 concentrator of large company A.  They have a LOT of VPN endpoints and only want to map to a Public IP address on my side.  The application "we" need access to is given to us as a public IP on their side.

Ie -
x.x.x.5 is 3000 Public IP and "server" is x.x.x.12
my internal network is private range 192.168.50.x and all my traffic has to appear to come from a Public IP on my side (I'd like to appear as from  outside interface of pix)

My understanding is that since we aren't "nonat" the PAT on outside interface will serve as "Public IP" for concentrator, w/ the NAT (Inside) 1 0 0.  ACL 103 defines traffic to encrypt.  Yet it doesn't seem to work.

What am I missing?

Below is config (modded to hide the innocent) -
---------------------------------------------------------

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100

no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names


access-list 103 permit ip 192.168.50.0 255.255.255.0 host x.x.x.14

pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.42 255.255.255.248
ip address inside 192.168.50.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm

pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 192.168.52.0 255.255.255.0 0 0
nat (inside) 1 192.168.53.0 255.255.255.0 0 0
nat (inside) 1 192.168.211.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp x.x.x.43 1024 192.168.50.19 1024 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.43 https 192.168.50.10 https netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.43 smtp 192.168.50.10 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.43 www 192.168.50.10 www netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.44 www 192.168.50.11 www netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.44 https 192.168.50.11 https netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.44 smtp 192.168.50.11 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.44 domain 192.168.50.15 domain netmask 255.255.255.255 0 0
static (inside,outside) udp x.x.x.44 domain 192.168.50.15 domain netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.44 3389 192.168.50.15 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.46 https 192.168.52.10 https netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.46 smtp 192.168.52.10 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.46 www 192.168.52.10 www netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.41 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute

sysopt connection permit-ipsec

crypto ipsec transform-set AES-SHA esp-aes-256 esp-sha-hmac

crypto map vpncm 3 ipsec-isakmp
crypto map vpncm 3 match address 103
crypto map vpncm 3 set peer x.x.x.5
crypto map vpncm 3 set transform-set AES-SHA
crypto map vpncm 10 ipsec-isakmp dynamic dynmap
crypto map vpncm interface outside
isakmp enable outside
isakmp key ******** address x.x.x.5 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash md5
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400
isakmp policy 3 authentication pre-share
isakmp policy 3 encryption 3des
isakmp policy 3 hash sha
isakmp policy 3 group 2
isakmp policy 3 lifetime 28800
isakmp policy 5 authentication rsa-sig
isakmp policy 5 encryption des
isakmp policy 5 hash sha
isakmp policy 5 group 1
isakmp policy 5 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

: end
[OK]


0
Comment
Question by:tw525
2 Comments
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 300 total points
ID: 22740258
Hello tw525,
   Since you PATed the 50.0 network to your public IP, the interesting traffic for VPN to kick in occurs between your public IP and x.x.x.14, not between 50.0 and x.x.x.14.

no access-list 103 permit ip 192.168.50.0 255.255.255.0 host x.x.x.14
access-list 103 permit ip interface outside host x.x.x.14

Regards
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22740314
>access-list 103 permit ip 192.168.50.0 255.255.255.0 host x.x.x.14
This should be:

access-list 103 permit ip host  x.x.x.42 host x.x.x.14


>"server" is x.x.x.12
Is it .12 or .14? Whatever it is, it should be in the acl above..

0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Radius Debug Error 16 92
Cisco ASA version 8.2 NAT to version 9 NAT 3 37
Cisco  3750E switches 1 14
Cisco ISE or Windows NPS for RADIUS and 802.1x 2 21
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question