[cisco-bba] FW: Static NAT translation over IPSEC tunnel - PIX 6.3

Michael G. Jung mikej at confluenttech.com
Mon Dec 11 19:13:21 EST 2006


Mounir Mohamed:
 
Thanks!
 
For the list and those still learning like me changing
 
access-list global-vpn permit ip host 216.26.153.12
<http://216.26.153.12/>  host 172.30.21.215 <http://172.30.21.215/> 
 
to 
 
access-list global-vpn permit ip host 172.0.255.15
<http://216.26.153.12/>  host 172.30.21.215 <http://172.30.21.215/> 
 
makes the IPSEC engine see interesting traffic and I get initiation.
Solution not complete but I understand more.
 
Any Idea on the PIX side how I can confirm through debug that the
destination packet to 172.30.21.215 is 
going through the NAT engine so I feel confident that the remote side
should see traffic sourced from 
216.26.153.12 via my static xlate?
 
Kind regards,
 
--mikej

	-----Original Message-----
	From: Mounir Mohamed [mailto:mounir.mohamed at gmail.com] 
	Sent: Monday, December 11, 2006 6:21 PM
	To: Michael G. Jung
	Cc: cisco-bba at puck.nether.net
	Subject: Re: [cisco-bba] FW: Static NAT translation over IPSEC
tunnel - PIX 6.3
	
	
	Dear Michael,
	 
	NO dear IPSEC happen before NAT, so the ACL matching on
something wrong, the below URL shown the NAT oder operations
	 
	Did you try to change the ACL by replace the real ip address
with your private one, i belive this will give you debug output.
	 
	
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a
0080133ddd.shtml
	 
	Best Regards,
	Mounir Mohamed
	
	 
	On 12/12/06, Michael G. Jung <mikej at confluenttech.com> wrote: 

		Thanks for you response.
		 
		I may be wrong but I have always understood NAT to occur
BEFORE ipsec.  
		 
		Thus, if you want an inside host on one end to talk with
an inside host on the remote end of a tunnel, you place your interesting
traffic rules in whatever access-list applies to your appropriate NAT-0
rule so that the PIX knows to not process your traffic through the NAT
engine before the tunnel (IPSEC or otherwise). 
		 
		It's my opinion in my case that the PIX is not finding
interesting traffic bound for 172.30.21.216 <http://172.30.21.216/>
from 216.26.153.12 <http://216.26.153.12/>  and this is why I am seeing
no debugging information.
		 
		I don't understand why this is occurring with how I'm
attempting to configure this scenario.
		 
		--mikej
		

			-----Original Message-----
			From: Mounir Mohamed [mailto:
mounir.mohamed at gmail.com <mailto:mounir.mohamed at gmail.com> ] 
			Sent: Monday, December 11, 2006 5:58 PM
			To: Michael G. Jung
			Cc: cisco-bba at puck.nether.net
			Subject: Re: [cisco-bba] FW: Static NAT
translation over IPSEC tunnel - PIX 6.3
			
			
			Dear Michael,
			 
			I think your debug output get nothing because
the NAT happen after the IPSEC tunnel intiation failed, mainly routing
happen first then NAT, if the outgoing interface is the outside one NAT
take action, so when ur private subnet trying to intiate traffic toward
remote vpn the traffic arrived on the PIX interface as private address,
then trying to intiate the IPSEC tunnle then it's failed because the
source address doesn't found on the interisting traffic ACL
(global-vpn). 
			 
			If am wrong anybody can correct me :)
			 
			Best Regards,
			Mounir Mohamed
			
			 
			On 12/11/06, Michael G. Jung
<mikej at confluenttech.com > wrote: 

				 
				I have several tunnels up and
operational on a old PIX-520 running 6.3(4)120
				 
				I want to establish a new tunnel, but I
want to static xlate my inside address to a real world address, and
have the destination host see my traffic as sourced from the NAT'd
address. 
				 
				So I've build a access-list for
interesting traffic for the tunnel, built by static and have not
specified the interesting traffic in my NAT-0 access-list that I use for
other tunnels.    I've turned up debug crypto isakmp  on the pix but I
don't see any initiation.
				 
				My inside host  on interface DMZ is
172.0.255.15 <http://172.0.255.15/>  which  is NAT'd to 216.26.153.12
<http://216.26.153.12/> .
				 
				So I want 172.0.255.15
<http://172.0.255.15/>  to connect to the remote host 172.30.21.216
<http://172.30.21.216/>  presenting itself as sourced from the  nat'd
address 216.26.153.12 <http://216.26.153.12/> .
				 
				Here is what I think is relevent.
				 
				ip address outside 216.26.153.4
<http://216.26.153.4/>  255.255.255.128 <http://255.255.255.128/> 
				ip address dmz 172.0.255.1
<http://172.0.255.1/>  255.255.255.0 <http://255.255.255.0/>  
				 
				access-list global-vpn permit ip host
216.26.153.12 <http://216.26.153.12/>  host 172.30.21.215
<http://172.30.21.215/> 
				 
				 
				static (dmz,outside) 216.26.153.12
<http://216.26.153.12/>  172.0.255.15 <http://172.0.255.15/>  netmask
255.255.255.255 <http://255.255.255.255/>  0 0
				 
				sysopt connection permit-ipsec
				 
				 
				crypto ipsec transform-set global-vpn
esp-3des esp-md5-hmac
				 
				crypto map outside 212 ipsec-isakmp
				crypto map outside 212 match address
global-vpn
				crypto map outside 212 set peer
not.my.real.ip 
				crypto map outside 212 set transform-set
global-vpn
				 
				crypto map outside interface outside
				 
				isakmp enable outside
				isakmp key ******** address
not.my.real.ip netmask 255.255.255.255 <http://255.255.255.255/> 
				isakmp identity address 
				
				isakmp policy 100 authentication
pre-share
				isakmp policy 100 encryption 3des 
				isakmp policy 100 hash md5
				isakmp policy 100 group 2
				isakmp policy 100 lifetime 86400
				 
				 
				 Any ideas, am I approaching this
correctly with the static and not using nat0 for 216.26.153.12
<http://216.26.153.12/>  <->172.30.21.215 <http://172.30.21.215/> ?
				 
				Thanks for any suggestions.
				 
				--mikej
				Michael Jung
				 
				 

	
_______________________________________________
				cisco-bba mailing list
				cisco-bba at puck.nether.net
	
https://puck.nether.net/mailman/listinfo/cisco-bba
				
				
				




			-- 
			Best Reagrds,
			Mounir Mohamed 




	-- 
	Best Reagrds,
	Mounir Mohamed 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-bba/attachments/20061211/1e3eee34/attachment-0001.html 


More information about the cisco-bba mailing list