[cisco-bba] FW: Static NAT translation over IPSEC tunnel - PIX 6.3

Mounir Mohamed mounir.mohamed at gmail.com
Mon Dec 11 18:20:48 EST 2006


Dear Michael,

NO dear IPSEC happen before NAT, so the ACL matching on something wrong, the
below URL shown the NAT oder operations

Did you try to change the ACL by replace the real ip address with your
private one, i belive this will give you debug output.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Best Regards,
Mounir Mohamed


On 12/12/06, Michael G. Jung <mikej at confluenttech.com> wrote:
>
>  Thanks for you response.
>
> I may be wrong but I have always understood NAT to occur BEFORE ipsec.
>
> Thus, if you want an inside host on one end to talk with an inside host on
> the remote end of a tunnel, you place your interesting traffic rules in
> whatever access-list applies to your appropriate NAT-0 rule so that the PIX
> knows to not process your traffic through the NAT engine before the tunnel
> (IPSEC or otherwise).
>
> It's my opinion in my case that the PIX is not finding interesting traffic
> bound for 172.30.21.216 from 216.26.153.12 and this is why I am seeing no
> debugging information.
>
> I don't understand why this is occurring with how I'm attempting to
> configure this scenario.
>
> --mikej
>
>  -----Original Message-----
> *From:* Mounir Mohamed [mailto:mounir.mohamed at gmail.com]
> *Sent:* Monday, December 11, 2006 5:58 PM
> *To:* Michael G. Jung
> *Cc:* cisco-bba at puck.nether.net
> *Subject:* Re: [cisco-bba] FW: Static NAT translation over IPSEC tunnel -
> PIX 6.3
>
> Dear Michael,
>
> I think your debug output get nothing because the NAT happen after the
> IPSEC tunnel intiation failed, mainly routing happen first then NAT, if the
> outgoing interface is the outside one NAT take action, so when ur private
> subnet trying to intiate traffic toward remote vpn the traffic arrived on
> the PIX interface as private address, then trying to intiate the IPSEC
> tunnle then it's failed because the source address doesn't found on the
> interisting traffic ACL (global-vpn).
>
> If am wrong anybody can correct me :)
>
> Best Regards,
> Mounir Mohamed
>
>
> On 12/11/06, Michael G. Jung <mikej at confluenttech.com> wrote:
> >
> >
> > I have several tunnels up and operational on a old PIX-520 running 6.3
> > (4)120
> >
> > I want to establish a new tunnel, but I want to static xlate my inside
> > address to a real world address, and  have the destination host see my
> > traffic as sourced from the NAT'd address.
> >
> > So I've build a access-list for interesting traffic for the tunnel,
> > built by static and have not specified the interesting traffic in my NAT-0
> > access-list that I use for other tunnels.    I've turned up debug crypto
> > isakmp  on the pix but I don't see any initiation.
> >
> > My inside host  on interface DMZ is 172.0.255.15 which  is NAT'd to
> > 216.26.153.12.
> >
> > So I want 172.0.255.15 to connect to the remote host 172.30.21.216presenting itself as sourced from the  nat'd address
> > 216.26.153.12.
> >
> > Here is what I think is relevent.
> >
> > ip address outside 216.26.153.4 255.255.255.128
> > ip address dmz 172.0.255.1 255.255.255.0
> >
> > access-list global-vpn permit ip host 216.26.153.12 host 172.30.21.215
> >
> >
> > static (dmz,outside) 216.26.153.12 172.0.255.15 netmask 255.255.255.2550 0
> >
> > sysopt connection permit-ipsec
> >
> >
> > crypto ipsec transform-set global-vpn esp-3des esp-md5-hmac
> >
> > crypto map outside 212 ipsec-isakmp
> > crypto map outside 212 match address global-vpn
> > crypto map outside 212 set peer not.my.real.ip
> > crypto map outside 212 set transform-set global-vpn
> >
> > crypto map outside interface outside
> >
> > isakmp enable outside
> > isakmp key ******** address not.my.real.ip netmask 255.255.255.255
> > isakmp identity address
> >
> > isakmp policy 100 authentication pre-share
> > isakmp policy 100 encryption 3des
> > isakmp policy 100 hash md5
> > isakmp policy 100 group 2
> > isakmp policy 100 lifetime 86400
> >
> >
> >  Any ideas, am I approaching this correctly with the static and not
> > using nat0 for 216.26.153.12 <->172.30.21.215?
> >
> > Thanks for any suggestions.
> >
> > --mikej
> > Michael Jung
> >
> >
> >
> > _______________________________________________
> > cisco-bba mailing list
> > cisco-bba at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-bba
> >
> >
> >
>
>
> --
> Best Reagrds,
> Mounir Mohamed
>
>


-- 
Best Reagrds,
Mounir Mohamed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-bba/attachments/20061212/51fac87a/attachment.html 


More information about the cisco-bba mailing list