Dear Micheal,<br><br>Just keep your current ACL as it's and just change the interesting traffic from the remote vpn sites to be like this<br><br> <span class="q"><div><font color="#0000ff"><span><font color="#000000">access-list vpn1 permit ip
</font><font color="#000000">
host </font><a href="http://172.30.21.215/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">172.30.21.215 host </a></span></font><a href="http://172.30.21.215/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
<span class="q"><font color="#0000ff"><span><a href="http://216.26.153.12/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.26.153.12</a></span></font></span></a></div></span><br>Please let me know if it's working
<br><br>Best Regards,<br>Mounir Mohamed<br><br><div><span class="gmail_quote">On 12/12/06, <b class="gmail_sendername">Michael G. Jung</b> <<a href="mailto:mikej@confluenttech.com">mikej@confluenttech.com</a>> wrote:
</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>
<div><font color="#0000ff" face="Arial" size="2"><span>Mounir
Mohamed:</span></font></div>
<div><font color="#0000ff" face="Arial" size="2"><span></span></font> </div>
<div><font color="#0000ff" face="Arial" size="2"><span>Thanks!</span></font></div>
<div><font color="#0000ff" face="Arial" size="2"><span></span></font> </div>
<div><font color="#0000ff" face="Arial" size="2"><span>For
the list and those still learning like me changing</span></font></div><span class="q">
<div><font color="#0000ff" face="Arial" size="2"><span></span></font> </div>
<div><font color="#0000ff"><span><font color="#000000">access-list global-vpn permit ip host </font><a href="http://216.26.153.12/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.26.153.12</a>
<font color="#000000">
host </font><a href="http://172.30.21.215/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">172.30.21.215</a></span></font></div>
<div><font color="#0000ff" face="Arial" size="2"><span></span></font> </div></span>
<div><font color="#0000ff" face="Arial" size="2"><span>to
</span></font></div>
<div><font color="#0000ff" face="Arial" size="2"><span></span></font> </div>
<div><font color="#0000ff"><span><font color="#000000">access-list global-vpn permit ip host </font><a href="http://216.26.153.12/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">172.0.255.15</a><font color="#000000">
host </font><a href="http://172.30.21.215/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">172.30.21.215</a></span></font></div>
<div><font color="#0000ff" face="Arial" size="2"><span></span></font> </div>
<div><font color="#0000ff" face="Arial" size="2"><span>makes
the IPSEC engine see interesting traffic and I get initiation. Solution
not complete but I understand more.</span></font></div>
<div><font color="#0000ff" face="Arial" size="2"><span></span></font> </div>
<div><font color="#0000ff" face="Arial" size="2"><span>Any
Idea on the PIX side how I can confirm through debug that the destination packet
to <a href="http://172.30.21.215" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">172.30.21.215</a> is </span></font></div>
<div><font color="#0000ff" face="Arial" size="2"><span>going
through the NAT engine so I feel confident that the remote side should see
traffic sourced from </span></font></div>
<div><font color="#0000ff" face="Arial" size="2"><span><a href="http://216.26.153.12" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.26.153.12</a> </span></font><font color="#0000ff" face="Arial" size="2">
<span>via my static
xlate?</span></font></div>
<div><font color="#0000ff" face="Arial" size="2"><span></span></font> </div>
<div><font color="#0000ff" face="Arial" size="2"><span>Kind
regards,</span></font></div>
<div><font color="#0000ff" face="Arial" size="2"><span></span></font> </div>
<div><font color="#0000ff" face="Arial" size="2"><span>--mikej</span></font></div>
<blockquote style="margin-right: 0px;">
<div></div>
<div dir="ltr" align="left" lang="en-us"><font face="Tahoma" size="2"><span class="q">-----Original Message-----<br><b>From:</b> Mounir Mohamed
[mailto:<a href="mailto:mounir.mohamed@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">mounir.mohamed@gmail.com</a>] <br></span></font><div><span class="e" id="q_10f74018b7e14ba5_4"><font face="Tahoma" size="2">
<b>Sent:</b> Monday, December 11, 2006
6:21 PM<br><b>To:</b> Michael G. Jung<br><b>Cc:</b>
<a href="mailto:cisco-bba@puck.nether.net" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">cisco-bba@puck.nether.net</a><br><b>Subject:</b> Re: [cisco-bba] FW: Static NAT
translation over IPSEC tunnel - PIX 6.3<br><br></font></span></div></div><div><span class="e" id="q_10f74018b7e14ba5_6">
<div>Dear Michael,</div>
<div> </div>
<div>NO dear IPSEC happen before NAT, so the ACL matching on something wrong,
the below URL shown the NAT oder operations</div>
<div> </div>
<div>Did you try to change the ACL by replace the real ip address with your
private one, i belive this will give you debug output.</div>
<div> </div>
<div><a href="http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
</a></div>
<div> </div>
<div>Best Regards,</div>
<div>Mounir Mohamed<br><br> </div>
<div><span class="gmail_quote">On 12/12/06, <b class="gmail_sendername">Michael G.
Jung</b> <<a href="mailto:mikej@confluenttech.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">mikej@confluenttech.com</a>>
wrote:</span>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0px 0px 0px 0.8ex; padding-left: 1ex;">
<div>
<div><span><font color="#0000ff" face="Arial" size="2">Thanks for you
response.</font></span></div>
<div><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div><span><font color="#0000ff" face="Arial" size="2">I may be wrong
but I have always understood NAT to occur BEFORE ipsec.
</font></span></div>
<div><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div><span><font color="#0000ff" face="Arial" size="2">Thus, if you want an inside
host on one end to talk with an inside host on the remote end of a tunnel,
you place your interesting traffic rules in whatever access-list applies to
your appropriate NAT-0 rule so that the PIX knows to not process your
traffic through the NAT engine before the tunnel (IPSEC or otherwise).
</font></span></div>
<div><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div><span><font color="#0000ff" face="Arial" size="2">It's my opinion in my case
that the PIX is not finding interesting traffic bound for <a href="http://172.30.21.216/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">172.30.21.216</a> from <a href="http://216.26.153.12/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
216.26.153.12</a> and this
is why I am seeing no debugging information.</font></span></div>
<div><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div><span><font color="#0000ff" face="Arial" size="2">I don't understand why this
is occurring with how I'm attempting to configure this
scenario.</font></span></div>
<div><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div><span><font color="#0000ff" face="Arial" size="2">--mikej</font></span></div>
<div><span>
<blockquote style="margin-right: 0px;">
<div></div>
<div dir="ltr" align="left" lang="en-us"><font face="Tahoma" size="2">-----Original
Message-----<br><b>From:</b> Mounir Mohamed [mailto:<a href="mailto:mounir.mohamed@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
mounir.mohamed@gmail.com</a>] <br><b>Sent:</b> Monday, December 11, 2006
5:58 PM<br><b>To:</b> Michael G. Jung<br><b>Cc:</b> <a href="mailto:cisco-bba@puck.nether.net" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">cisco-bba@puck.nether.net</a><br><b>Subject:</b>
Re:
[cisco-bba] FW: Static NAT translation over IPSEC tunnel - PIX
6.3<br><br></font></div>
<div>Dear Michael,</div>
<div> </div>
<div>I think your debug output get nothing because the NAT happen after
the IPSEC tunnel intiation failed, mainly routing happen first then NAT,
if the outgoing interface is the outside one NAT take action, so when ur
private subnet trying to intiate traffic toward remote vpn the traffic
arrived on the PIX interface as private address, then trying to intiate
the IPSEC tunnle then it's failed because the source address doesn't found
on the interisting traffic ACL (global-vpn). </div>
<div> </div>
<div>If am wrong anybody can correct me :)</div>
<div> </div>
<div>Best Regards,</div>
<div>Mounir Mohamed<br><br> </div>
<div><span class="gmail_quote">On 12/11/06, <b class="gmail_sendername">Michael G. Jung</b> <<a href="mailto:mikej@confluenttech.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">mikej@confluenttech.com
</a>> wrote:</span>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0px 0px 0px 0.8ex; padding-left: 1ex;">
<div>
<div><font face="Tahoma" size="2"></font> </div>
<div><font color="#000000" face="Arial" size="2">I have several tunnels up and
operational on a old PIX-520 running 6.3(4)120</font></div>
<div> </div>
<div><font face="Arial"><font size="2">I want to establish a new
tunnel, but I want to static xlate my inside address to a real world
address, and <span><font color="#0000ff"> have the destination
host see my traffic as sourced from the NAT'd address.
</font></span></font></font></div>
<div><font face="Arial"><font size="2"><span></span></font></font> </div>
<div><font face="Arial" size="2">So I've build a access-list for interesting
traffic for the tunnel, built by static and have not specified the
interesting traffic in my NAT-0 access-list that I use for other
tunnels. <span> <font color="#0000ff"> I've turned up
</font></span>debug crypto isakmp <span><font color="#0000ff"> on the pix but </font></span>I don't see any
initiation.</font></div>
<div><font color="#0000ff" face="Arial" size="2"></font> </div>
<div><font face="Arial" size="2">My inside host on interface DMZ is <a href="http://172.0.255.15/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">172.0.255.15</a> which
is NAT'd to <a href="http://216.26.153.12/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.26.153.12</a>.</font></div>
<div><font face="Arial" size="2"></font> </div>
<div><font face="Arial" size="2">So I want <a href="http://172.0.255.15/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">172.0.255.15</a> to connect to
the remote host <a href="http://172.30.21.216/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">172.30.21.216</a> presenting
itself as sourced from the nat'd address <a href="http://216.26.153.12/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.26.153.12</a>.</font></div>
<div><font face="Arial" size="2"></font> </div>
<div><font face="Arial" size="2">Here is what I think is
relevent.</font></div>
<div><font color="#0000ff" face="Arial" size="2"></font> </div>
<div>ip address outside <a href="http://216.26.153.4/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.26.153.4</a> <a href="http://255.255.255.128/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
255.255.255.128</a><br>ip
address dmz <a href="http://172.0.255.1/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">172.0.255.1</a> <a href="http://255.255.255.0/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
255.255.255.0</a><span><font color="#0000ff" face="Arial" size="2"> </font></span></div>
<div><font color="#0000ff" face="Arial" size="2"></font> </div>
<div>access-list global-vpn permit ip host <a href="http://216.26.153.12/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.26.153.12</a> host <a href="http://172.30.21.215/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
172.30.21.215</a><br> </div>
<div><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div>static (dmz,outside) <a href="http://216.26.153.12/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.26.153.12</a> <a href="http://172.0.255.15/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
172.0.255.15</a> netmask <a href="http://255.255.255.255/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.255.255</a> 0
0<br> </div>
<div>sysopt connection permit-ipsec<br> </div>
<div><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div>crypto ipsec transform-set global-vpn esp-3des
esp-md5-hmac<br> </div>
<div>crypto map outside 212 ipsec-isakmp<br>crypto map outside 212 match
address global-vpn<br>crypto map outside 212 set peer not.my.real.ip
</div>
<div>crypto map outside 212 set transform-set global-vpn<br> </div>
<div>crypto map outside interface outside</div>
<div><font color="#0000ff" face="Arial" size="2"></font> </div>
<div>isakmp enable outside<br>isakmp key ********
address not.my.real.ip netmask <a href="http://255.255.255.255/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.255.255</a><br>isakmp identity address </div>
<div><font color="#0000ff" face="Arial" size="2"></font><font color="#0000ff" face="Arial" size="2"></font><font color="#0000ff" face="Arial" size="2"></font><br>isakmp policy 100 authentication pre-share<br>isakmp
policy 100 encryption 3des <br>isakmp policy 100 hash md5<br>isakmp
policy 100 group 2<br>isakmp policy 100 lifetime 86400<br> </div>
<div><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div><span> </span>Any ideas, am I approaching this correctly with
the static and not using nat0 for <a href="http://216.26.153.12/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.26.153.12</a> <-><a href="http://172.30.21.215/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
172.30.21.215</a>?</div>
<div><font color="#0000ff" face="Arial" size="2"></font> </div>
<div>Thanks for any suggestions.</div>
<div><font color="#0000ff" face="Arial" size="2"></font> </div>
<div>--mikej</div>
<div>Michael Jung</div>
<div><font color="#0000ff" face="Arial" size="2"></font> </div>
<div><font color="#0000ff" face="Arial" size="2"></font> </div></div><br>_______________________________________________<br>cisco-bba
mailing list<br><a href="mailto:cisco-bba@puck.nether.net" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">cisco-bba@puck.nether.net</a><br><a href="https://puck.nether.net/mailman/listinfo/cisco-bba" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
https://puck.nether.net/mailman/listinfo/cisco-bba</a><br><br><br></blockquote></div><br><br clear="all"><br>-- <br>Best Reagrds,<br>Mounir Mohamed
</blockquote></span></div></div></blockquote></div><br><br clear="all"><br>--
<br>Best Reagrds,<br>Mounir Mohamed </span></div></blockquote></div>
</blockquote></div><br><br clear="all"><br>-- <br>Best Reagrds,<br>Mounir Mohamed