[cisco-bba] FW: Static NAT translation over IPSEC tunnel - PIX 6.3

Michael G. Jung mikej at confluenttech.com
Mon Dec 11 18:09:24 EST 2006


Thanks for you response.
 
I may be wrong but I have always understood NAT to occur BEFORE ipsec.  
 
Thus, if you want an inside host on one end to talk with an inside host
on the remote end of a tunnel, you place your interesting traffic rules
in whatever access-list applies to your appropriate NAT-0 rule so that
the PIX knows to not process your traffic through the NAT engine before
the tunnel (IPSEC or otherwise).
 
It's my opinion in my case that the PIX is not finding interesting
traffic bound for 172.30.21.216 <http://172.30.21.216/>  from
216.26.153.12 <http://216.26.153.12/>  and this is why I am seeing no
debugging information.
 
I don't understand why this is occurring with how I'm attempting to
configure this scenario.
 
--mikej

	-----Original Message-----
	From: Mounir Mohamed [mailto:mounir.mohamed at gmail.com] 
	Sent: Monday, December 11, 2006 5:58 PM
	To: Michael G. Jung
	Cc: cisco-bba at puck.nether.net
	Subject: Re: [cisco-bba] FW: Static NAT translation over IPSEC
tunnel - PIX 6.3
	
	
	Dear Michael,
	 
	I think your debug output get nothing because the NAT happen
after the IPSEC tunnel intiation failed, mainly routing happen first
then NAT, if the outgoing interface is the outside one NAT take action,
so when ur private subnet trying to intiate traffic toward remote vpn
the traffic arrived on the PIX interface as private address, then trying
to intiate the IPSEC tunnle then it's failed because the source address
doesn't found on the interisting traffic ACL (global-vpn). 
	 
	If am wrong anybody can correct me :)
	 
	Best Regards,
	Mounir Mohamed
	
	 
	On 12/11/06, Michael G. Jung <mikej at confluenttech.com> wrote: 

		 
		I have several tunnels up and operational on a old
PIX-520 running 6.3(4)120
		 
		I want to establish a new tunnel, but I want to static
xlate my inside address to a real world address, and  have the
destination host see my traffic as sourced from the NAT'd address. 
		 
		So I've build a access-list for interesting traffic for
the tunnel, built by static and have not specified the interesting
traffic in my NAT-0 access-list that I use for other tunnels.    I've
turned up debug crypto isakmp  on the pix but I don't see any
initiation.
		 
		My inside host  on interface DMZ is 172.0.255.15
<http://172.0.255.15/>  which  is NAT'd to 216.26.153.12
<http://216.26.153.12/> .
		 
		So I want 172.0.255.15 <http://172.0.255.15/>  to
connect to the remote host 172.30.21.216 <http://172.30.21.216/>
presenting itself as sourced from the  nat'd address 216.26.153.12
<http://216.26.153.12/> .
		 
		Here is what I think is relevent.
		 
		ip address outside 216.26.153.4 <http://216.26.153.4/>
255.255.255.128 <http://255.255.255.128/> 
		ip address dmz 172.0.255.1 <http://172.0.255.1/>
255.255.255.0 <http://255.255.255.0/>  
		 
		access-list global-vpn permit ip host 216.26.153.12
<http://216.26.153.12/>  host 172.30.21.215 <http://172.30.21.215/> 
		 
		 
		static (dmz,outside) 216.26.153.12
<http://216.26.153.12/>  172.0.255.15 <http://172.0.255.15/>  netmask
255.255.255.255 <http://255.255.255.255/>  0 0
		 
		sysopt connection permit-ipsec
		 
		 
		crypto ipsec transform-set global-vpn esp-3des
esp-md5-hmac
		 
		crypto map outside 212 ipsec-isakmp
		crypto map outside 212 match address global-vpn
		crypto map outside 212 set peer not.my.real.ip 
		crypto map outside 212 set transform-set global-vpn
		 
		crypto map outside interface outside
		 
		isakmp enable outside
		isakmp key ******** address not.my.real.ip netmask
255.255.255.255 <http://255.255.255.255/> 
		isakmp identity address 
		
		isakmp policy 100 authentication pre-share
		isakmp policy 100 encryption 3des 
		isakmp policy 100 hash md5
		isakmp policy 100 group 2
		isakmp policy 100 lifetime 86400
		 
		 
		 Any ideas, am I approaching this correctly with the
static and not using nat0 for 216.26.153.12 <http://216.26.153.12/>
<->172.30.21.215 <http://172.30.21.215/> ?
		 
		Thanks for any suggestions.
		 
		--mikej
		Michael Jung
		 
		 

		_______________________________________________
		cisco-bba mailing list
		cisco-bba at puck.nether.net
		https://puck.nether.net/mailman/listinfo/cisco-bba
		
		
		




	-- 
	Best Reagrds,
	Mounir Mohamed 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-bba/attachments/20061211/ad7c79fd/attachment-0001.html 


More information about the cisco-bba mailing list