?
Solved

Site to Site vpn tunnel trouble

Posted on 2009-05-20
19
Medium Priority
?
1,121 Views
Last Modified: 2013-11-16
I need to give a customer access to a few of our clustered servers that are on my internal network.  We already have a vpn tunnel set up with them, however they are already using the additional subnets we need them to have access to so we need to nat them to external ip addresses.  The servers we need them to have access to are 2 nodes in a microsoft windows cluster.  So I need to give them  access to:
node 1: 192.168.40.21
node 2: 192.168.40.22
Cluster/sql ip: 192.168.40.24

In short, i would like to give them access to those 3 ip addresses but NAT those ip addresses to an external ip address statically.  

192.168.40.21=66.x.x.1
192.168.40.22=66.x.x.2
192.168.40.24=66.x.x.3


Below is some lines of config taken from my pix.  I am trying to get the 40.24 up first and then add the rest later.  The customer says the ike is up but the ipsec session wont establish.  Help!
global (outside) 2 66.a.b.1-66.a.b.4 netmask 255.255.255.0 
nat (inside) 2 access-list conditional_nat
 
access-list conditional_nat extended permit ip 192.168.40.0 255.255.255.0 host 198.x.x.1
access-list conditional_hostA permit ip host 192.168.40.24 198.178.131.1 255.255.255.255
 
 
static (inside,outside) 66.a.b.1 access-list conditional_hostA
 
 
 
crypto ipsec transform-set des esp-des esp-sha-hmac 
crypto map tippmanngroup 1 match address 103
crypto map tippmanngroup 1 set pfs 
crypto map tippmanngroup 1 set peer 199.d.e.f
crypto map tippmanngroup 1 set transform-set des
 
 
access-list 103 extended permit ip 192.168.40.0 255.255.255.0 host 198.x.x.1

Open in new window

0
Comment
Question by:joebass47
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
19 Comments
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 1500 total points
ID: 24509687
Hello joebass47,
    It doesnt have to be a public IP like 66.a.b.1 necessarily. Here is my recommendation
no global (outside) 2 66.a.b.1-66.a.b.4 netmask 255.255.255.0
no nat (inside) 2 access-list conditional_nat

no access-list conditional_nat extended permit ip 192.168.40.0 255.255.255.0 host 198.x.x.1
no access-list conditional_hostA permit ip host 192.168.40.24 198.178.131.1 255.255.255.255
no static (inside,outside) 66.a.b.1 access-list conditional_hostA

access-list CNat1 permit ip host 192.168.40.21 customernetwork customernetmask
access-list CNat2 permit ip host 192.168.40.22 customernetwork customernetmask
access-list CNat3 permit ip host 192.168.40.24 customernetwork customernetmask

static (inside,outside) 172.28.110.21 access-list CNat1
static (inside,outside) 172.28.110.22 access-list CNat2
static (inside,outside) 172.28.110.24 access-list CNat3

access-list Cstmr_Intr_Traf permit ip 172.28.110.21 customernetwork customernetmask
access-list Cstmr_Intr_Traf permit ip 172.28.110.22 customernetwork customernetmask
access-list Cstmr_Intr_Traf permit ip 172.28.110.24 customernetwork customernetmask

no crypto map tippmanngroup 1 match address 103
crypto map tippmanngroup 1 match address Cstmr_Intr_Traf

Make sure of 2 things
    1) You do not have nat 0 (Exempt NAT) statements that can cover source and destinations specified in conditional nat such as
     access-list inside_nat0_outbound permit ip 192.168.40.0 255.255.255.0 any
   2) Remote site has the exact mirror of your interesting traffic ACL, like following

access-list Crporate_Intr_Traf permit ip customernetwork customernetmask host 172.28.110.21
access-list Crporate_Intr_Traf permit ip customernetwork customernetmask host 172.28.110.22
access-list Crporate_Intr_Traf permit ip customernetwork customernetmask host 172.28.110.24

   And make sure they modify their exempt nat statement accordingly

Regards
0
 

Author Comment

by:joebass47
ID: 24517613
Thanks for the response!

We already have some subnets setup using acl 103 so if we remove that those wont work.  Is there anyway to look at both acl 103 and cstmr_intr_traf?
0
 

Author Comment

by:joebass47
ID: 24517684
Sorry let me be more clear on my last comment.  We already have two existing subnets setup in the vpn tunnel that both use acl 103.
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 24517751
If that two existing statements do not cover my above mirror acl entries and do not make them useless, then you can use that acl. But remember, ACL 103 must exactly be mirrored at remote site. If doesnt work, post the ACL 103
0
 

Author Comment

by:joebass47
ID: 24523628
Ok, i will put this in tomorrow.  One question before i do.  What if i want to use public ips?  Could i use the same config just change the private ips you gave me to my public?

Thanks,
Joey
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 24524014
"Could i use the same config just change the private ips you gave me to my public?"
    Yes you can. Change the priv IPs to pub ips in interestng traffic acl and statics
0
 

Author Comment

by:joebass47
ID: 24528527
access-list CNat1 permit ip host 192.168.40.21 198.x.x.x 255.255.255.255
access-list CNat2 permit ip host 192.168.40.22 198.x.x.x 255.255.255.255
access-list CNat3 permit ip host 192.168.40.24 198.x.x.x 255.255.255.255

static (inside,outside) 66.x.x.1 access-list CNat1
static (inside,outside) 66.x.x.2 access-list CNat2
static (inside,outside) 66.x.x.3 access-list CNat3

access-list 103 extended permit ip host 66.x.x.1 host 198.x.x.x
access-list 103 extended permit ip host 66.x.x.2 host 198.x.x.x
access-list 103 extended permit ip host 66.x.x.3 host 198.x.x.x


Above is what i have added.  I also took out what you had suggested...
no global (outside) 2 66.a.b.1-66.a.b.4 netmask 255.255.255.0
no nat (inside) 2 access-list conditional_nat

no access-list conditional_nat extended permit ip 192.168.40.0 255.255.255.0 host 198.x.x.1
no access-list conditional_hostA permit ip host 192.168.40.24 198.178.131.1 255.255.255.255
no static (inside,outside) 66.a.b.1 access-list conditional_hostA

_________________________________
Here is what is in access list 103
access-list 103 extended permit ip 192.168.7.0 255.255.255.0 host 198.x.x.1
access-list 103 extended permit ip 192.168.100.0 255.255.255.0 host 198.x.x.1
access-list 103 extended permit ip host 66.x.x.1 host 198.x.x.x
access-list 103 extended permit ip host 66.x.x.2 host 198.x.x.x
access-list 103 extended permit ip host 66.x.x.3 host 198.x.x.x

____________________________________
I also have the following nat statements:
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
____________________________________
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 host 198.178.131.1
access-list nonat extended permit ip 192.168.8.0 255.255.255.0 172.16.60.0 255.255.255.0
access-list nonat extended permit ip 192.168.8.0 255.255.255.0 172.16.50.0 255.255.255.0
access-list nonat extended permit ip 192.168.8.0 255.255.255.0 10.5.125.0 255.255.255.0
access-list nonat extended permit ip 192.168.8.0 255.255.255.0 10.5.251.0 255.255.255.0
access-list nonat extended permit ip 192.168.40.0 255.255.255.0 host 198.178.131.1
access-list nonat extended permit ip 192.168.50.0 255.255.255.0 host 198.178.131.1
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 host 198.178.131.1
access-list nonat extended permit ip 192.168.6.0 255.255.255.0 host 198.178.131.1
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 host 198.178.131.1
0
 

Author Comment

by:joebass47
ID: 24574446
I guess i didnt put in my above comment that it didnt work.  
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 24579508
Can you post the current config?
0
 

Author Comment

by:joebass47
ID: 24580075
PIX Version 7.2(4)
!
hostname indigitalfire
domain-name tippmanngroup.com
enable password <removed>
passwd <removed>
names
dns-guard
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 66.170.x.x 255.255.255.224
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0
!
boot system flash:/image.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name tippmanngroup.com
access-list CNat1 extended permit ip host 192.168.40.21 host 198.178.131.1
access-list CNat2 extended permit ip host 192.168.40.22 host 198.178.131.1
access-list 103 extended permit ip 192.168.7.0 255.255.255.0 host 198.178.131.1
access-list 103 extended permit ip 192.168.100.0 255.255.255.0 host 198.178.131.1
access-list 103 extended permit ip host 66.249.242.1 host 198.178.131.1
access-list 103 extended permit ip host 66.249.242.2 host 198.178.131.1
access-list 103 extended permit ip host 66.249.242.3 host 198.178.131.1
access-list 103 extended permit ip 192.168.40.0 255.255.255.0 host 198.178.131.1
access-list 104 extended permit ip 192.168.8.0 255.255.255.0 172.16.60.0 255.255.255.0
access-list 104 extended permit ip 192.168.8.0 255.255.255.0 172.16.50.0 255.255.255.0
access-list 104 extended permit ip 192.168.8.0 255.255.255.0 10.5.125.0 255.255.255.0
access-list 104 extended permit ip 192.168.8.0 255.255.255.0 10.5.251.0 255.255.255.0
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 host 198.178.131.1
access-list nonat extended permit ip 192.168.8.0 255.255.255.0 172.16.60.0 255.255.255.0
access-list nonat extended permit ip 192.168.8.0 255.255.255.0 172.16.50.0 255.255.255.0
access-list nonat extended permit ip 192.168.8.0 255.255.255.0 10.5.125.0 255.255.255.0
access-list nonat extended permit ip 192.168.8.0 255.255.255.0 10.5.251.0 255.255.255.0
access-list nonat extended permit ip 192.168.40.0 255.255.255.0 host 198.178.131.1
access-list nonat extended permit ip 192.168.50.0 255.255.255.0 host 198.178.131.1
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 host 198.178.131.1
access-list nonat extended permit ip 192.168.6.0 255.255.255.0 host 198.178.131.1
access-list nonat extended permit ip 192.168.7.0 255.255.255.0 host 198.178.131.1
access-list nonat extended permit ip host 66.249.242.1 host 198.178.131.1
access-list nonat extended permit ip host 66.249.242.2 host 198.178.131.1
access-list nonat extended permit ip host 66.249.242.3 host 198.178.131.1
access-list nonat extended permit ip host 192.168.40.21 host 198.178.131.1
access-list nonat extended permit ip host 192.168.40.22 host 198.178.131.1
access-list nonat extended permit ip host 192.168.40.24 host 198.178.131.1
access-list CNat3 extended permit ip host 192.168.40.24 host 198.178.131.1
access-list Cstmr_Intr_Traf extended permit ip host 66.249.242.1 host 198.178.131.1
access-list Cstmr_Intr_Traf extended permit ip host 66.249.242.2 host 198.178.131.1
access-list Cstmr_Intr_Traf extended permit ip host 66.249.242.3 host 198.178.131.1
pager lines 24
logging enable
logging asdm informational
logging from-address pix@tippmanngroup.com
logging recipient-address jborgnini@tippmanngroup.com level warnings
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 66.170.x.x
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 66.170.35.204 192.168.4.11 netmask 255.255.255.255
static (inside,outside) 66.170.35.206 192.168.3.4 netmask 255.255.255.255
static (inside,outside) 66.170.35.202 192.168.100.97 netmask 255.255.255.255
static (inside,outside) 66.170.35.198 192.168.100.15 netmask 255.255.255.255
static (inside,outside) 66.170.35.196 192.168.100.18 netmask 255.255.255.255
static (inside,outside) 66.170.35.199 192.168.100.56 netmask 255.255.255.255
static (inside,outside) 66.170.35.222 192.168.100.19 netmask 255.255.255.255
static (inside,outside) 66.170.35.221 192.168.7.29 netmask 255.255.255.255
static (inside,outside) 66.170.35.217 192.168.100.96 netmask 255.255.255.255
static (inside,outside) 66.170.35.209 192.168.100.249 netmask 255.255.255.255
static (inside,outside) 66.170.35.205 192.168.6.38 netmask 255.255.255.255
static (inside,outside) 66.170.35.203 192.168.10.29 netmask 255.255.255.255
static (inside,outside) 66.170.35.208 192.168.50.29 netmask 255.255.255.255
static (inside,outside) 66.170.35.211 192.168.100.14 netmask 255.255.255.255
static (inside,outside) 66.170.35.212 192.168.100.70 netmask 255.255.255.255
static (inside,outside) 66.170.35.215 192.168.9.21 netmask 255.255.255.255
static (inside,outside) 66.170.35.219 192.168.100.33 netmask 255.255.255.255
static (inside,outside) 66.170.35.200 192.168.6.29 netmask 255.255.255.255
static (inside,outside) 66.249.242.1  access-list CNat1
static (inside,outside) 66.249.242.2  access-list CNat2
static (inside,outside) 66.249.242.3  access-list CNat3
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 66.170.35.194 1
route inside 192.168.0.0 255.255.0.0 192.168.100.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.100.186 255.255.255.255 inside
http 192.168.100.240 255.255.255.255 inside
http 192.168.3.221 255.255.255.255 inside
http 192.168.4.40 255.255.255.255 inside
http 192.168.100.222 255.255.255.255 inside
http 192.168.100.15 255.255.255.255 inside
http 192.168.6.93 255.255.255.255 inside
http 192.168.3.104 255.255.255.255 inside
http 192.168.3.105 255.255.255.255 inside
http 192.168.100.241 255.255.255.255 inside
http 192.168.7.187 255.255.255.255 inside
http 192.168.4.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set des esp-des esp-sha-hmac
crypto map tippmanngroup 1 match address 103
crypto map tippmanngroup 1 set pfs
crypto map tippmanngroup 1 set peer 199.88.143.5
crypto map tippmanngroup 1 set transform-set des
crypto map tippmanngroup 2 match address 104
crypto map tippmanngroup 2 set pfs
crypto map tippmanngroup 2 set peer 75.137.63.10
crypto map tippmanngroup 2 set transform-set des
crypto map tippmanngroup interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 8
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 28800
crypto isakmp policy 65535
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.100.15 255.255.255.255 inside
telnet 192.168.100.176 255.255.255.255 inside
telnet 192.168.100.177 255.255.255.255 inside
telnet 192.168.5.150 255.255.255.255 inside
telnet 192.168.4.40 255.255.255.255 inside
telnet 192.168.100.187 255.255.255.255 inside
telnet 192.168.100.174 255.255.255.255 inside
telnet 192.168.3.107 255.255.255.255 inside
telnet 192.168.7.0 255.255.255.0 inside
telnet 192.168.7.187 255.255.255.255 inside
telnet 192.168.3.221 255.255.255.255 inside
telnet 192.168.100.240 255.255.255.255 inside
telnet timeout 5
ssh 192.168.4.151 255.255.255.255 inside
ssh 192.168.100.222 255.255.255.255 inside
ssh 192.168.4.40 255.255.255.255 inside
ssh 192.168.4.41 255.255.255.255 inside
ssh 192.168.100.15 255.255.255.255 inside
ssh 192.168.7.180 255.255.255.255 inside
ssh 192.168.100.239 255.255.255.255 inside
ssh 192.168.100.177 255.255.255.255 inside
ssh 192.168.5.150 255.255.255.255 inside
ssh 192.168.3.105 255.255.255.255 inside
ssh 192.168.4.181 255.255.255.255 inside
ssh 192.168.3.107 255.255.255.255 inside
ssh 192.168.7.187 255.255.255.255 inside
ssh timeout 5
ssh version 1
console timeout 0
username guido password <removed> privilege 15
username jborgnini password <removed> privilege 15
tunnel-group 199.88.143.5 type ipsec-l2l
tunnel-group 199.88.143.5 ipsec-attributes
 pre-shared-key *
tunnel-group 75.137.63.10 type ipsec-l2l
tunnel-group 75.137.63.10 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect ils
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:94544b06ff843955b0f7ee70da17cfad
: end
0
 

Author Comment

by:joebass47
ID: 24606103
Do you see anything that could be causing the problem?
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 24814799
Joe, does tunnel ever come up? What is the most recent error now?
0
 

Author Comment

by:joebass47
ID: 24815726
The tunnel never came up.  I still can't ping the customer.  I dont think the conditional nat is working properly.
0
 

Author Comment

by:joebass47
ID: 24816034
I also opened a question here since i wasnt getting much response in this thread.

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_24553922.html
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 24817744
I sometimes forget the questions i participate, I just saw the email. But if you have followed the suggestions correctly, the solution was in my first suggestion.
"Make sure of 2 things
    1) You do not have nat 0 (Exempt NAT) statements that can cover source and destinations specified in conditional nat such as
     access-list inside_nat0_outbound permit ip 192.168.40.0 255.255.255.0 any"

 The suggestion made in link you specified doesnt make sense, VPN Client and NAT are not safety criterias to choose from.

The problem is your exempt nat acl contains the statement we entered for conditional nat. So traffic is already exempted without reaching our CNAT static. Simply removing the following line should solve the issue

no access-list nonat extended permit ip 192.168.40.0 255.255.255.0 host 198.178.131.1

Run a clear-xlate after
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 24817967
Nice to hear that your issue is resolved and sad to see grade B for a good answer to a long to read and time consuming question which experts usually refrain to participate. Please open up a ticket to close the other question you opened up with a full refund since it is resolved.
Regards
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question