<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Message</TITLE>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2995" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=699060123-11122006><FONT face=Arial color=#0000ff size=2>Thanks
for you response.</FONT></SPAN></DIV>
<DIV><SPAN class=699060123-11122006><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=699060123-11122006><FONT face=Arial color=#0000ff
size=2>I may be wrong but I have always understood NAT to occur BEFORE
ipsec. </FONT></SPAN></DIV>
<DIV><SPAN class=699060123-11122006><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=699060123-11122006><FONT face=Arial color=#0000ff size=2>Thus,
if you want an inside host on one end to talk with an inside host on the remote
end of a tunnel, you place your interesting traffic rules in whatever
access-list applies to your appropriate NAT-0 rule so that the PIX knows to not
process your traffic through the NAT engine before the tunnel (IPSEC or
otherwise).</FONT></SPAN></DIV>
<DIV><SPAN class=699060123-11122006><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=699060123-11122006><FONT face=Arial color=#0000ff size=2>It's
my opinion in my case that the PIX is not finding interesting traffic bound for
<A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.30.21.216/" target=_blank>172.30.21.216</A> from <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://216.26.153.12/" target=_blank>216.26.153.12</A> and this is
why I am seeing no debugging information.</FONT></SPAN></DIV>
<DIV><SPAN class=699060123-11122006><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=699060123-11122006><FONT face=Arial color=#0000ff size=2>I
don't understand why this is occurring with how I'm attempting to configure this
scenario.</FONT></SPAN></DIV>
<DIV><SPAN class=699060123-11122006><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=699060123-11122006><FONT face=Arial color=#0000ff
size=2>--mikej</FONT></SPAN></DIV>
<BLOCKQUOTE style="MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT
face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Mounir Mohamed
[mailto:mounir.mohamed@gmail.com] <BR><B>Sent:</B> Monday, December 11, 2006
5:58 PM<BR><B>To:</B> Michael G. Jung<BR><B>Cc:</B>
cisco-bba@puck.nether.net<BR><B>Subject:</B> Re: [cisco-bba] FW: Static NAT
translation over IPSEC tunnel - PIX 6.3<BR><BR></FONT></DIV>
<DIV>Dear Michael,</DIV>
<DIV> </DIV>
<DIV>I think your debug output get nothing because the NAT happen after the
IPSEC tunnel intiation failed, mainly routing happen first then NAT, if the
outgoing interface is the outside one NAT take action, so when ur private
subnet trying to intiate traffic toward remote vpn the traffic arrived on the
PIX interface as private address, then trying to intiate the IPSEC tunnle then
it's failed because the source address doesn't found on the interisting
traffic ACL (global-vpn). </DIV>
<DIV> </DIV>
<DIV>If am wrong anybody can correct me :)</DIV>
<DIV> </DIV>
<DIV>Best Regards,</DIV>
<DIV>Mounir Mohamed<BR><BR> </DIV>
<DIV><SPAN class=gmail_quote>On 12/11/06, <B class=gmail_sendername>Michael G.
Jung</B> <<A
href="mailto:mikej@confluenttech.com">mikej@confluenttech.com</A>>
wrote:</SPAN>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<DIV>
<DIV><FONT face=Tahoma size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#000000 size=2>I have several tunnels up and
operational on a old PIX-520 running 6.3(4)120</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial><FONT size=2>I want to establish a new tunnel,
but I want to static xlate my inside address to a real world address,
and <SPAN><FONT color=#0000ff> have the destination host see my
traffic as sourced from the NAT'd address.
</FONT></SPAN></FONT></FONT></DIV>
<DIV><FONT face=Arial><FONT size=2><SPAN></SPAN></FONT></FONT> </DIV>
<DIV><FONT face=Arial size=2>So I've build a access-list for interesting
traffic for the tunnel, built by static and have not specified the
interesting traffic in my NAT-0 access-list that I use for other
tunnels. <SPAN> <FONT color=#0000ff> I've turned up
</FONT></SPAN>debug crypto isakmp <SPAN><FONT color=#0000ff> on
the pix but </FONT></SPAN>I don't see any initiation.</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>My inside host on interface DMZ is <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.0.255.15/" target=_blank>172.0.255.15</A> which
is NAT'd to <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://216.26.153.12/" target=_blank>216.26.153.12</A>.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>So I want <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.0.255.15/" target=_blank>172.0.255.15</A> to connect to the
remote host <A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.30.21.216/" target=_blank>172.30.21.216</A> presenting
itself as sourced from the nat'd address <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://216.26.153.12/" target=_blank>216.26.153.12</A>.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Here is what I think is relevent.</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV>ip address outside <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://216.26.153.4/" target=_blank>216.26.153.4</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.128/" target=_blank>255.255.255.128</A><BR>ip
address dmz <A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.0.255.1/" target=_blank>172.0.255.1</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.0/" target=_blank>255.255.255.0</A><SPAN><FONT
face=Arial color=#0000ff size=2> </FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV>access-list global-vpn permit ip host <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://216.26.153.12/" target=_blank>216.26.153.12</A> host <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.30.21.215/" target=_blank>172.30.21.215</A><BR> </DIV>
<DIV><SPAN><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV>static (dmz,outside) <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://216.26.153.12/" target=_blank>216.26.153.12</A> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.0.255.15/" target=_blank>172.0.255.15</A> netmask <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.255/" target=_blank>255.255.255.255</A> 0
0<BR> </DIV>
<DIV>sysopt connection permit-ipsec<BR> </DIV>
<DIV><SPAN><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV>crypto ipsec transform-set global-vpn esp-3des
esp-md5-hmac<BR> </DIV>
<DIV>crypto map outside 212 ipsec-isakmp<BR>crypto map outside 212 match
address global-vpn<BR>crypto map outside 212 set peer not.my.real.ip </DIV>
<DIV>crypto map outside 212 set transform-set global-vpn<BR> </DIV>
<DIV>crypto map outside interface outside</DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV>isakmp enable outside<BR>isakmp key ********
address not.my.real.ip netmask <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://255.255.255.255/" target=_blank>255.255.255.255</A><BR>isakmp
identity address </DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT><FONT face=Arial
color=#0000ff size=2></FONT><FONT face=Arial color=#0000ff
size=2></FONT><BR>isakmp policy 100 authentication pre-share<BR>isakmp
policy 100 encryption 3des <BR>isakmp policy 100 hash md5<BR>isakmp policy
100 group 2<BR>isakmp policy 100 lifetime 86400<BR> </DIV>
<DIV><SPAN><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV><SPAN> </SPAN>Any ideas, am I approaching this correctly with the
static and not using nat0 for <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://216.26.153.12/" target=_blank>216.26.153.12</A> <-><A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.30.21.215/" target=_blank>172.30.21.215</A>?</DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV>Thanks for any suggestions.</DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV>--mikej</DIV>
<DIV>Michael Jung</DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff
size=2></FONT> </DIV></DIV><BR>_______________________________________________<BR>cisco-bba
mailing list<BR><A onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:cisco-bba@puck.nether.net">cisco-bba@puck.nether.net</A><BR><A
onclick="return top.js.OpenExtLink(window,event,this)"
href="https://puck.nether.net/mailman/listinfo/cisco-bba"
target=_blank>https://puck.nether.net/mailman/listinfo/cisco-bba</A><BR><BR><BR></BLOCKQUOTE></DIV><BR><BR
clear=all><BR>-- <BR>Best Reagrds,<BR>Mounir Mohamed </BLOCKQUOTE></BODY></HTML>