[cisco-bba] FW: Static NAT translation over IPSEC tunnel - PIX 6.3

Mounir Mohamed mounir.mohamed at gmail.com
Mon Dec 11 19:18:33 EST 2006 

Dear Micheal,

Just keep your current ACL as it's and just change the interesting traffic
from the remote vpn sites to be like this

access-list vpn1 permit ip host 172.30.21.215 host <http://172.30.21.215/>
216.26.153.12 <http://172.30.21.215/>

Please let me know if it's working

Best Regards,
Mounir Mohamed

On 12/12/06, Michael G. Jung <mikej at confluenttech.com> wrote:
>
>  Mounir Mohamed:
>
> Thanks!
>
> For the list and those still learning like me changing
>
> access-list global-vpn permit ip host 216.26.153.12 host 172.30.21.215
>
> to
>
> access-list global-vpn permit ip host 172.0.255.15 <http://216.26.153.12/>host
> 172.30.21.215
>
> makes the IPSEC engine see interesting traffic and I get initiation.
> Solution not complete but I understand more.
>
> Any Idea on the PIX side how I can confirm through debug that the
> destination packet to 172.30.21.215 is
> going through the NAT engine so I feel confident that the remote side
> should see traffic sourced from
> 216.26.153.12 via my static xlate?
>
> Kind regards,
>
> --mikej
>
>  -----Original Message-----
> *From:* Mounir Mohamed [mailto:mounir.mohamed at gmail.com]
> *Sent:* Monday, December 11, 2006 6:21 PM
> *To:* Michael G. Jung
> *Cc:* cisco-bba at puck.nether.net
> *Subject:* Re: [cisco-bba] FW: Static NAT translation over IPSEC tunnel -
> PIX 6.3
>
> Dear Michael,
>
> NO dear IPSEC happen before NAT, so the ACL matching on something wrong,
> the below URL shown the NAT oder operations
>
> Did you try to change the ACL by replace the real ip address with your
> private one, i belive this will give you debug output.
>
>
> http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
>
> Best Regards,
> Mounir Mohamed
>
>
> On 12/12/06, Michael G. Jung <mikej at confluenttech.com> wrote:
> >
> >  Thanks for you response.
> >
> > I may be wrong but I have always understood NAT to occur BEFORE ipsec.
> >
> > Thus, if you want an inside host on one end to talk with an inside host
> > on the remote end of a tunnel, you place your interesting traffic rules in
> > whatever access-list applies to your appropriate NAT-0 rule so that the PIX
> > knows to not process your traffic through the NAT engine before the tunnel
> > (IPSEC or otherwise).
> >
> > It's my opinion in my case that the PIX is not finding interesting
> > traffic bound for 172.30.21.216 from 216.26.153.12 and this is why I am
> > seeing no debugging information.
> >
> > I don't understand why this is occurring with how I'm attempting to
> > configure this scenario.
> >
> > --mikej
> >
> >  -----Original Message-----
> > *From:* Mounir Mohamed [mailto: mounir.mohamed at gmail.com]
> > *Sent:* Monday, December 11, 2006 5:58 PM
> > *To:* Michael G. Jung
> > *Cc:* cisco-bba at puck.nether.net
> > *Subject:* Re: [cisco-bba] FW: Static NAT translation over IPSEC tunnel
> > - PIX 6.3
> >
> > Dear Michael,
> >
> > I think your debug output get nothing because the NAT happen after the
> > IPSEC tunnel intiation failed, mainly routing happen first then NAT, if the
> > outgoing interface is the outside one NAT take action, so when ur private
> > subnet trying to intiate traffic toward remote vpn the traffic arrived on
> > the PIX interface as private address, then trying to intiate the IPSEC
> > tunnle then it's failed because the source address doesn't found on the
> > interisting traffic ACL (global-vpn).
> >
> > If am wrong anybody can correct me :)
> >
> > Best Regards,
> > Mounir Mohamed
> >
> >
> > On 12/11/06, Michael G. Jung <mikej at confluenttech.com > wrote:
> > >
> > >
> > > I have several tunnels up and operational on a old PIX-520 running 6.3
> > > (4)120
> > >
> > > I want to establish a new tunnel, but I want to static xlate my inside
> > > address to a real world address, and  have the destination host see my
> > > traffic as sourced from the NAT'd address.
> > >
> > > So I've build a access-list for interesting traffic for the tunnel,
> > > built by static and have not specified the interesting traffic in my NAT-0
> > > access-list that I use for other tunnels.    I've turned up debug
> > > crypto isakmp  on the pix but I don't see any initiation.
> > >
> > > My inside host  on interface DMZ is 172.0.255.15 which  is NAT'd to
> > > 216.26.153.12.
> > >
> > > So I want 172.0.255.15 to connect to the remote host 172.30.21.216presenting itself as sourced from the  nat'd address
> > > 216.26.153.12.
> > >
> > > Here is what I think is relevent.
> > >
> > > ip address outside 216.26.153.4 255.255.255.128
> > > ip address dmz 172.0.255.1 255.255.255.0
> > >
> > > access-list global-vpn permit ip host 216.26.153.12 host 172.30.21.215
> > >
> > >
> > > static (dmz,outside) 216.26.153.12 172.0.255.15 netmask
> > > 255.255.255.255 0 0
> > >
> > > sysopt connection permit-ipsec
> > >
> > >
> > > crypto ipsec transform-set global-vpn esp-3des esp-md5-hmac
> > >
> > > crypto map outside 212 ipsec-isakmp
> > > crypto map outside 212 match address global-vpn
> > > crypto map outside 212 set peer not.my.real.ip
> > > crypto map outside 212 set transform-set global-vpn
> > >
> > > crypto map outside interface outside
> > >
> > > isakmp enable outside
> > > isakmp key ******** address not.my.real.ip netmask 255.255.255.255
> > > isakmp identity address
> > >
> > > isakmp policy 100 authentication pre-share
> > > isakmp policy 100 encryption 3des
> > > isakmp policy 100 hash md5
> > > isakmp policy 100 group 2
> > > isakmp policy 100 lifetime 86400
> > >
> > >
> > >  Any ideas, am I approaching this correctly with the static and not
> > > using nat0 for 216.26.153.12 <->172.30.21.215?
> > >
> > > Thanks for any suggestions.
> > >
> > > --mikej
> > > Michael Jung
> > >
> > >
> > >
> > > _______________________________________________
> > > cisco-bba mailing list
> > > cisco-bba at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-bba
> > >
> > >
> > >
> >
> >
> > --
> > Best Reagrds,
> > Mounir Mohamed
> >
> >
>
>
> --
> Best Reagrds,
> Mounir Mohamed
>
>


-- 
Best Reagrds,
Mounir Mohamed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-bba/attachments/20061212/1c17df26/attachment.html

More information about the cisco-bba mailing list