[cisco-bba] FW: Static NAT translation over IPSEC tunnel - PIX 6.3
Michael G. Jung
mikej at confluenttech.com
Mon Dec 11 19:13:21 EST 2006
Mounir Mohamed:
Thanks!
For the list and those still learning like me changing
access-list global-vpn permit ip host 216.26.153.12
<http://216.26.153.12/> host 172.30.21.215 <http://172.30.21.215/>
to
access-list global-vpn permit ip host 172.0.255.15
<http://216.26.153.12/> host 172.30.21.215 <http://172.30.21.215/>
makes the IPSEC engine see interesting traffic and I get initiation.
Solution not complete but I understand more.
Any Idea on the PIX side how I can confirm through debug that the
destination packet to 172.30.21.215 is
going through the NAT engine so I feel confident that the remote side
should see traffic sourced from
216.26.153.12 via my static xlate?
Kind regards,
--mikej
-----Original Message-----
From: Mounir Mohamed [mailto:mounir.mohamed at gmail.com]
Sent: Monday, December 11, 2006 6:21 PM
To: Michael G. Jung
Cc: cisco-bba at puck.nether.net
Subject: Re: [cisco-bba] FW: Static NAT translation over IPSEC
tunnel - PIX 6.3
Dear Michael,
NO dear IPSEC happen before NAT, so the ACL matching on
something wrong, the below URL shown the NAT oder operations
Did you try to change the ACL by replace the real ip address
with your private one, i belive this will give you debug output.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a
0080133ddd.shtml
Best Regards,
Mounir Mohamed
On 12/12/06, Michael G. Jung <mikej at confluenttech.com> wrote:
Thanks for you response.
I may be wrong but I have always understood NAT to occur
BEFORE ipsec.
Thus, if you want an inside host on one end to talk with
an inside host on the remote end of a tunnel, you place your interesting
traffic rules in whatever access-list applies to your appropriate NAT-0
rule so that the PIX knows to not process your traffic through the NAT
engine before the tunnel (IPSEC or otherwise).
It's my opinion in my case that the PIX is not finding
interesting traffic bound for 172.30.21.216 <http://172.30.21.216/>
from 216.26.153.12 <http://216.26.153.12/> and this is why I am seeing
no debugging information.
I don't understand why this is occurring with how I'm
attempting to configure this scenario.
--mikej
-----Original Message-----
From: Mounir Mohamed [mailto:
mounir.mohamed at gmail.com <mailto:mounir.mohamed at gmail.com> ]
Sent: Monday, December 11, 2006 5:58 PM
To: Michael G. Jung
Cc: cisco-bba at puck.nether.net
Subject: Re: [cisco-bba] FW: Static NAT
translation over IPSEC tunnel - PIX 6.3
Dear Michael,
I think your debug output get nothing because
the NAT happen after the IPSEC tunnel intiation failed, mainly routing
happen first then NAT, if the outgoing interface is the outside one NAT
take action, so when ur private subnet trying to intiate traffic toward
remote vpn the traffic arrived on the PIX interface as private address,
then trying to intiate the IPSEC tunnle then it's failed because the
source address doesn't found on the interisting traffic ACL
(global-vpn).
If am wrong anybody can correct me :)
Best Regards,
Mounir Mohamed
On 12/11/06, Michael G. Jung
<mikej at confluenttech.com > wrote:
I have several tunnels up and
operational on a old PIX-520 running 6.3(4)120
I want to establish a new tunnel, but I
want to static xlate my inside address to a real world address, and
have the destination host see my traffic as sourced from the NAT'd
address.
So I've build a access-list for
interesting traffic for the tunnel, built by static and have not
specified the interesting traffic in my NAT-0 access-list that I use for
other tunnels. I've turned up debug crypto isakmp on the pix but I
don't see any initiation.
My inside host on interface DMZ is
172.0.255.15 <http://172.0.255.15/> which is NAT'd to 216.26.153.12
<http://216.26.153.12/> .
So I want 172.0.255.15
<http://172.0.255.15/> to connect to the remote host 172.30.21.216
<http://172.30.21.216/> presenting itself as sourced from the nat'd
address 216.26.153.12 <http://216.26.153.12/> .
Here is what I think is relevent.
ip address outside 216.26.153.4
<http://216.26.153.4/> 255.255.255.128 <http://255.255.255.128/>
ip address dmz 172.0.255.1
<http://172.0.255.1/> 255.255.255.0 <http://255.255.255.0/>
access-list global-vpn permit ip host
216.26.153.12 <http://216.26.153.12/> host 172.30.21.215
<http://172.30.21.215/>
static (dmz,outside) 216.26.153.12
<http://216.26.153.12/> 172.0.255.15 <http://172.0.255.15/> netmask
255.255.255.255 <http://255.255.255.255/> 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set global-vpn
esp-3des esp-md5-hmac
crypto map outside 212 ipsec-isakmp
crypto map outside 212 match address
global-vpn
crypto map outside 212 set peer
not.my.real.ip
crypto map outside 212 set transform-set
global-vpn
crypto map outside interface outside
isakmp enable outside
isakmp key ******** address
not.my.real.ip netmask 255.255.255.255 <http://255.255.255.255/>
isakmp identity address
isakmp policy 100 authentication
pre-share
isakmp policy 100 encryption 3des
isakmp policy 100 hash md5
isakmp policy 100 group 2
isakmp policy 100 lifetime 86400
Any ideas, am I approaching this
correctly with the static and not using nat0 for 216.26.153.12
<http://216.26.153.12/> <->172.30.21.215 <http://172.30.21.215/> ?
Thanks for any suggestions.
--mikej
Michael Jung
_______________________________________________
cisco-bba mailing list
cisco-bba at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba
--
Best Reagrds,
Mounir Mohamed
--
Best Reagrds,
Mounir Mohamed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-bba/attachments/20061211/1e3eee34/attachment-0001.html
More information about the cisco-bba
mailing list