khamees79
asked on
NAT settings for VPN on PIX 515E
Hello!
Hope I can explain this well .
*We got a PIX 515E, around 20 tunnels to remote offices are set allready.
*Multiple internal networks (2 neighbour branches, Remote access VPN clients ) of 192.168. (1,2,3).0
*A new booking system requires that we need to create a tunnel to another company.
They requested us to NAT all our networks, so they are being sent as a single IP address over the tunnel.
so they can set only this internal IP address to send requests to the booking server.
How can I accomplish this, as I noticed NAT is a global setting, but only for this specific tunnel, I need to NAT all my networks as one address, while keeping all the other tunnels as they are.?
Thanks in advance
Hope I can explain this well .
*We got a PIX 515E, around 20 tunnels to remote offices are set allready.
*Multiple internal networks (2 neighbour branches, Remote access VPN clients ) of 192.168. (1,2,3).0
*A new booking system requires that we need to create a tunnel to another company.
They requested us to NAT all our networks, so they are being sent as a single IP address over the tunnel.
so they can set only this internal IP address to send requests to the booking server.
How can I accomplish this, as I noticed NAT is a global setting, but only for this specific tunnel, I need to NAT all my networks as one address, while keeping all the other tunnels as they are.?
Thanks in advance
ASKER
Hello Irmoore:
Looks very solid, but too advanced for me :(
Hope you can simplify it a little bit, or if you can base your answer on ASDM.
Thanks
Looks very solid, but too advanced for me :(
Hope you can simplify it a little bit, or if you can base your answer on ASDM.
Thanks
It is not straighforward at all using ASDM.
First, create the access-list, global, and nat. Really the simplest is to just use the command line tool, multiline option and type the three lines in there.
access-list conditional_nat permit ip 192.168.0.0 255.255.0.0 <their LAN> 255.255.255.0
global (outside) 2 192.168.199.2 <== the IP they want you to use
nat (inside) 2 access-list conditional_nat
Use the VPN Wizard to create a Lan2Lan tunnel.
Select the appropriate encryption/hash. 3des/sha should be default
Do not check Exempt PIX side host from nat
Local Network = the host IP that you used as a global outside that they want you to present yourself to them as
Remote network = their lan 172.22.22.0/24 in my example.
First, create the access-list, global, and nat. Really the simplest is to just use the command line tool, multiline option and type the three lines in there.
access-list conditional_nat permit ip 192.168.0.0 255.255.0.0 <their LAN> 255.255.255.0
global (outside) 2 192.168.199.2 <== the IP they want you to use
nat (inside) 2 access-list conditional_nat
Use the VPN Wizard to create a Lan2Lan tunnel.
Select the appropriate encryption/hash. 3des/sha should be default
Do not check Exempt PIX side host from nat
Local Network = the host IP that you used as a global outside that they want you to present yourself to them as
Remote network = their lan 172.22.22.0/24 in my example.
ASKER
Thanks, just waiting for the other end to be UP, lazy french on the other side :)
Will let you know soon
Will let you know soon
ASKER
Still can not get it to run, They sent me their ACL, and ask me to mirror it only, this what they sent to me:
ip access-list extended IPSEC-City
permit ip host 194.15.170.*** host 192.168.55.26
permit ip host 194.15.170.*** host 192.168.55.26
permit ip host 194.176.166.*** host 192.168.55.26
permit ip host 194.176.166.*** host 192.168.55.26
==========================
The IP I must use to NAT my traffic to them is 192.168.55.26
==========================
My Current Config
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 213.*0.***.11
crypto map outside_map 2 set transform-set ESP-3DES-SHA
tunnel-group 213.*0.1***.11 type ipsec-l2l
tunnel-group 213.*0.***.11 ipsec-attributes
pre-shared-key *
nat (inside) 2 access-list Amadeus_NAT
global (outside) 2 192.168.55.26
object-group network Amadeus_S2S_IP
description IP addresses of Amadeus.
network-object host 194.15.170.***
network-object host 194.15.170.***
network-object host 194.176.166.***
network-object host 194.176.166.***
access-list outside_2_cryptomap extended permit ip host 192.168.55.26 object-group Amadeus_S2S_IP
access-list Amadeus_NAT extended permit ip 192.168.155.0 255.255.255.0 host 194.15.170.***
access-list Amadeus_NAT extended permit ip 192.168.155.0 255.255.255.0 host 194.15.170.***
access-list Amadeus_NAT extended permit ip 192.168.155.0 255.255.255.0 host 194.176.166.***
access-list Amadeus_NAT extended permit ip 192.168.155.0 255.255.255.0 host 194.176.166.***
==========================
Hope you can give me any clue.
ip access-list extended IPSEC-City
permit ip host 194.15.170.*** host 192.168.55.26
permit ip host 194.15.170.*** host 192.168.55.26
permit ip host 194.176.166.*** host 192.168.55.26
permit ip host 194.176.166.*** host 192.168.55.26
==========================
The IP I must use to NAT my traffic to them is 192.168.55.26
==========================
My Current Config
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 213.*0.***.11
crypto map outside_map 2 set transform-set ESP-3DES-SHA
tunnel-group 213.*0.1***.11 type ipsec-l2l
tunnel-group 213.*0.***.11 ipsec-attributes
pre-shared-key *
nat (inside) 2 access-list Amadeus_NAT
global (outside) 2 192.168.55.26
object-group network Amadeus_S2S_IP
description IP addresses of Amadeus.
network-object host 194.15.170.***
network-object host 194.15.170.***
network-object host 194.176.166.***
network-object host 194.176.166.***
access-list outside_2_cryptomap extended permit ip host 192.168.55.26 object-group Amadeus_S2S_IP
access-list Amadeus_NAT extended permit ip 192.168.155.0 255.255.255.0 host 194.15.170.***
access-list Amadeus_NAT extended permit ip 192.168.155.0 255.255.255.0 host 194.15.170.***
access-list Amadeus_NAT extended permit ip 192.168.155.0 255.255.255.0 host 194.176.166.***
access-list Amadeus_NAT extended permit ip 192.168.155.0 255.255.255.0 host 194.176.166.***
==========================
Hope you can give me any clue.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Create the ipsec tunnel just like any other one. Except don't put the tunnel traffic into the nat_0 acl. Create a conditional-nat acl and apply it to one global ip, and use only that one global IP as the crypto match statement.
Given "their" network = 172.22.22.0/24 (for example purposes)
Given the single IP that they want you to use = 192.168.199.2 (could be almost anything)
access-list conditional_nat permit ip 192.168.0.0 255.255.0.0 172.22.22.0 255.255.255.0
global (outside) 2 192.168.199.2
nat (inside) 2 access-list conditional_nat
access-list Crypto_match_Nat permit ip host 192.168.199.2 172.22.22.0 255.255.255.0
crypto map <yourmap> 100 match address Crypto_match_Nat
crypto map <yourmap> 100 set peer <their public ip>