<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Message</TITLE>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2995" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=638320500-12122006>Mounir
Mohamed:</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=638320500-12122006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=638320500-12122006>Thanks!</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=638320500-12122006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=638320500-12122006>For
the list and those still learning like me changing</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=638320500-12122006></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff><SPAN class=638320500-12122006><FONT
color=#000000>access-list global-vpn permit ip host </FONT><A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://216.26.153.12/" target=_blank>216.26.153.12</A><FONT color=#000000>
host </FONT><A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.30.21.215/" target=_blank>172.30.21.215</A></SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=638320500-12122006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=638320500-12122006>to
</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=638320500-12122006></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff><SPAN class=638320500-12122006><FONT
color=#000000>access-list global-vpn permit ip host </FONT><A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://216.26.153.12/" target=_blank>172.0.255.15</A><FONT color=#000000>
host </FONT><A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.30.21.215/" target=_blank>172.30.21.215</A></SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=638320500-12122006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=638320500-12122006>makes
the IPSEC engine see interesting traffic and I get initiation. Solution
not complete but I understand more.</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=638320500-12122006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=638320500-12122006>Any
Idea on the PIX side how I can confirm through debug that the destination packet
to 172.30.21.215 is </SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=638320500-12122006>going
through the NAT engine so I feel confident that the remote side should see
traffic sourced from </SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=638320500-12122006>216.26.153.12 </SPAN></FONT><FONT face=Arial
color=#0000ff size=2><SPAN class=638320500-12122006>via my static
xlate?</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=638320500-12122006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=638320500-12122006>Kind
regards,</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=638320500-12122006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=638320500-12122006>--mikej</SPAN></FONT></DIV>
<BLOCKQUOTE style="MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT
face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Mounir Mohamed
[mailto:mounir.mohamed@gmail.com] <BR><B>Sent:</B> Monday, December 11, 2006
6:21 PM<BR><B>To:</B> Michael G. Jung<BR><B>Cc:</B>
cisco-bba@puck.nether.net<BR><B>Subject:</B> Re: [cisco-bba] FW: Static NAT
translation over IPSEC tunnel - PIX 6.3<BR><BR></FONT></DIV>
<DIV>Dear Michael,</DIV>
<DIV> </DIV>
<DIV>NO dear IPSEC happen before NAT, so the ACL matching on something wrong,
the below URL shown the NAT oder operations</DIV>
<DIV> </DIV>
<DIV>Did you try to change the ACL by replace the real ip address with your
private one, i belive this will give you debug output.</DIV>
<DIV> </DIV>
<DIV><A
href="http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml">http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml</A></DIV>
<DIV> </DIV>
<DIV>Best Regards,</DIV>
<DIV>Mounir Mohamed<BR><BR> </DIV>
<DIV><SPAN class=gmail_quote>On 12/12/06, <B class=gmail_sendername>Michael G.
Jung</B> <<A
href="mailto:mikej@confluenttech.com">mikej@confluenttech.com</A>>
wrote:</SPAN>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<DIV>
<DIV><SPAN><FONT face=Arial color=#0000ff size=2>Thanks for you
response.</FONT></SPAN></DIV>
<DIV><SPAN><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV><SPAN><FONT face=Arial color=#0000ff size=2>I may be wrong
but I have always understood NAT to occur BEFORE ipsec.
</FONT></SPAN></DIV>
<DIV><SPAN><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV><SPAN><FONT face=Arial color=#0000ff size=2>Thus, if you want an inside
host on one end to talk with an inside host on the remote end of a tunnel,
you place your interesting traffic rules in whatever access-list applies to
your appropriate NAT-0 rule so that the PIX knows to not process your
traffic through the NAT engine before the tunnel (IPSEC or otherwise).
</FONT></SPAN></DIV>
<DIV><SPAN><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV><SPAN><FONT face=Arial color=#0000ff size=2>It's my opinion in my case
that the PIX is not finding interesting traffic bound for <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.30.21.216/" target=_blank>172.30.21.216</A> from <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://216.26.153.12/" target=_blank>216.26.153.12</A> and this
is why I am seeing no debugging information.</FONT></SPAN></DIV>
<DIV><SPAN><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV><SPAN><FONT face=Arial color=#0000ff size=2>I don't understand why this
is occurring with how I'm attempting to configure this
scenario.</FONT></SPAN></DIV>
<DIV><SPAN><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV><SPAN><FONT face=Arial color=#0000ff size=2>--mikej</FONT></SPAN></DIV>
<DIV><SPAN class=e id=q_10f73c6ed30519d4_1>
<BLOCKQUOTE style="MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV lang=en-us dir=ltr align=left><FONT face=Tahoma size=2>-----Original
Message-----<BR><B>From:</B> Mounir Mohamed [mailto:<A
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:mounir.mohamed@gmail.com" target=_blank>
mounir.mohamed@gmail.com</A>] <BR><B>Sent:</B> Monday, December 11, 2006
5:58 PM<BR><B>To:</B> Michael G. Jung<BR><B>Cc:</B> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:cisco-bba@puck.nether.net"
target=_blank>cisco-bba@puck.nether.net</A><BR><B>Subject:</B> Re:
[cisco-bba] FW: Static NAT translation over IPSEC tunnel - PIX
6.3<BR><BR></FONT></DIV>
<DIV>Dear Michael,</DIV>
<DIV> </DIV>
<DIV>I think your debug output get nothing because the NAT happen after
the IPSEC tunnel intiation failed, mainly routing happen first then NAT,
if the outgoing interface is the outside one NAT take action, so when ur
private subnet trying to intiate traffic toward remote vpn the traffic
arrived on the PIX interface as private address, then trying to intiate
the IPSEC tunnle then it's failed because the source address doesn't found
on the interisting traffic ACL (global-vpn). </DIV>
<DIV> </DIV>
<DIV>If am wrong anybody can correct me :)</DIV>
<DIV> </DIV>
<DIV>Best Regards,</DIV>
<DIV>Mounir Mohamed<BR><BR> </DIV>
<DIV><SPAN class=gmail_quote>On 12/11/06, <B
class=gmail_sendername>Michael G. Jung</B> <<A
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:mikej@confluenttech.com"
target=_blank>mikej@confluenttech.com </A>> wrote:</SPAN>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<DIV>
<DIV><FONT face=Tahoma size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#000000 size=2>I have several tunnels up and
operational on a old PIX-520 running 6.3(4)120</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial><FONT size=2>I want to establish a new
tunnel, but I want to static xlate my inside address to a real world
address, and <SPAN><FONT color=#0000ff> have the destination
host see my traffic as sourced from the NAT'd address.
</FONT></SPAN></FONT></FONT></DIV>
<DIV><FONT face=Arial><FONT
size=2><SPAN></SPAN></FONT></FONT> </DIV>
<DIV><FONT face=Arial size=2>So I've build a access-list for interesting
traffic for the tunnel, built by static and have not specified the
interesting traffic in my NAT-0 access-list that I use for other
tunnels. <SPAN> <FONT color=#0000ff> I've turned up
</FONT></SPAN>debug crypto isakmp <SPAN><FONT
color=#0000ff> on the pix but </FONT></SPAN>I don't see any
initiation.</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>My inside host on interface DMZ is <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.0.255.15/" target=_blank>172.0.255.15</A> which
is NAT'd to <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://216.26.153.12/"
target=_blank>216.26.153.12</A>.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>So I want <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.0.255.15/" target=_blank>172.0.255.15</A> to connect to
the remote host <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.30.21.216/" target=_blank>172.30.21.216</A> presenting
itself as sourced from the nat'd address <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://216.26.153.12/"
target=_blank>216.26.153.12</A>.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Here is what I think is
relevent.</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV>ip address outside <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://216.26.153.4/" target=_blank>216.26.153.4</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.128/" target=_blank>255.255.255.128</A><BR>ip
address dmz <A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.0.255.1/" target=_blank>172.0.255.1</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.0/" target=_blank>255.255.255.0</A><SPAN><FONT
face=Arial color=#0000ff size=2> </FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV>access-list global-vpn permit ip host <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://216.26.153.12/" target=_blank>216.26.153.12</A> host <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.30.21.215/"
target=_blank>172.30.21.215</A><BR> </DIV>
<DIV><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV>static (dmz,outside) <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://216.26.153.12/" target=_blank>216.26.153.12</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.0.255.15/" target=_blank>172.0.255.15</A> netmask <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.255/" target=_blank>255.255.255.255</A> 0
0<BR> </DIV>
<DIV>sysopt connection permit-ipsec<BR> </DIV>
<DIV><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV>crypto ipsec transform-set global-vpn esp-3des
esp-md5-hmac<BR> </DIV>
<DIV>crypto map outside 212 ipsec-isakmp<BR>crypto map outside 212 match
address global-vpn<BR>crypto map outside 212 set peer not.my.real.ip
</DIV>
<DIV>crypto map outside 212 set transform-set global-vpn<BR> </DIV>
<DIV>crypto map outside interface outside</DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV>isakmp enable outside<BR>isakmp key ********
address not.my.real.ip netmask <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.255/"
target=_blank>255.255.255.255</A><BR>isakmp identity address </DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT><FONT face=Arial
color=#0000ff size=2></FONT><FONT face=Arial color=#0000ff
size=2></FONT><BR>isakmp policy 100 authentication pre-share<BR>isakmp
policy 100 encryption 3des <BR>isakmp policy 100 hash md5<BR>isakmp
policy 100 group 2<BR>isakmp policy 100 lifetime 86400<BR> </DIV>
<DIV><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN> </SPAN>Any ideas, am I approaching this correctly with
the static and not using nat0 for <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://216.26.153.12/" target=_blank>216.26.153.12</A> <-><A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.30.21.215/" target=_blank>172.30.21.215</A>?</DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV>Thanks for any suggestions.</DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV>--mikej</DIV>
<DIV>Michael Jung</DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff
size=2></FONT> </DIV></DIV><BR>_______________________________________________<BR>cisco-bba
mailing list<BR><A
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:cisco-bba@puck.nether.net"
target=_blank>cisco-bba@puck.nether.net</A><BR><A
onclick="return top.js.OpenExtLink(window,event,this)"
href="https://puck.nether.net/mailman/listinfo/cisco-bba"
target=_blank>https://puck.nether.net/mailman/listinfo/cisco-bba</A><BR><BR><BR></BLOCKQUOTE></DIV><BR><BR
clear=all><BR>-- <BR>Best Reagrds,<BR>Mounir Mohamed
</BLOCKQUOTE></SPAN></DIV></DIV></BLOCKQUOTE></DIV><BR><BR clear=all><BR>--
<BR>Best Reagrds,<BR>Mounir Mohamed </BLOCKQUOTE></BODY></HTML>