<div>Dear Michael,</div>
<div> </div>
<div>NO dear IPSEC happen before NAT, so the ACL matching on something wrong, the below URL shown the NAT oder operations</div>
<div> </div>
<div>Did you try to change the ACL by replace the real ip address with your private one, i belive this will give you debug output.</div>
<div> </div>
<div><a href="http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml">http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml</a></div>
<div> </div>
<div>Best Regards,</div>
<div>Mounir Mohamed<br><br> </div>
<div><span class="gmail_quote">On 12/12/06, <b class="gmail_sendername">Michael G. Jung</b> <<a href="mailto:mikej@confluenttech.com">mikej@confluenttech.com</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div>
<div><span><font face="Arial" color="#0000ff" size="2">Thanks for you response.</font></span></div>
<div><span><font face="Arial" color="#0000ff" size="2"></font></span> </div>
<div><span><font face="Arial" color="#0000ff" size="2">I may be wrong but I have always understood NAT to occur BEFORE ipsec. </font></span></div>
<div><span><font face="Arial" color="#0000ff" size="2"></font></span> </div>
<div><span><font face="Arial" color="#0000ff" size="2">Thus, if you want an inside host on one end to talk with an inside host on the remote end of a tunnel, you place your interesting traffic rules in whatever access-list applies to your appropriate NAT-0 rule so that the PIX knows to not process your traffic through the NAT engine before the tunnel (IPSEC or otherwise).
</font></span></div>
<div><span><font face="Arial" color="#0000ff" size="2"></font></span> </div>
<div><span><font face="Arial" color="#0000ff" size="2">It's my opinion in my case that the PIX is not finding interesting traffic bound for <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://172.30.21.216/" target="_blank">
172.30.21.216</a> from <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://216.26.153.12/" target="_blank">216.26.153.12</a> and this is why I am seeing no debugging information.</font></span></div>
<div><span><font face="Arial" color="#0000ff" size="2"></font></span> </div>
<div><span><font face="Arial" color="#0000ff" size="2">I don't understand why this is occurring with how I'm attempting to configure this scenario.</font></span></div>
<div><span><font face="Arial" color="#0000ff" size="2"></font></span> </div>
<div><span><font face="Arial" color="#0000ff" size="2">--mikej</font></span></div>
<div><span class="e" id="q_10f73c6ed30519d4_1">
<blockquote style="MARGIN-RIGHT: 0px">
<div></div>
<div lang="en-us" dir="ltr" align="left"><font face="Tahoma" size="2">-----Original Message-----<br><b>From:</b> Mounir Mohamed [mailto:<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:mounir.mohamed@gmail.com" target="_blank">
mounir.mohamed@gmail.com</a>] <br><b>Sent:</b> Monday, December 11, 2006 5:58 PM<br><b>To:</b> Michael G. Jung<br><b>Cc:</b> <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-bba@puck.nether.net" target="_blank">
cisco-bba@puck.nether.net</a><br><b>Subject:</b> Re: [cisco-bba] FW: Static NAT translation over IPSEC tunnel - PIX 6.3<br><br></font></div>
<div>Dear Michael,</div>
<div> </div>
<div>I think your debug output get nothing because the NAT happen after the IPSEC tunnel intiation failed, mainly routing happen first then NAT, if the outgoing interface is the outside one NAT take action, so when ur private subnet trying to intiate traffic toward remote vpn the traffic arrived on the PIX interface as private address, then trying to intiate the IPSEC tunnle then it's failed because the source address doesn't found on the interisting traffic ACL (global-vpn).
</div>
<div> </div>
<div>If am wrong anybody can correct me :)</div>
<div> </div>
<div>Best Regards,</div>
<div>Mounir Mohamed<br><br> </div>
<div><span class="gmail_quote">On 12/11/06, <b class="gmail_sendername">Michael G. Jung</b> <<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:mikej@confluenttech.com" target="_blank">mikej@confluenttech.com
</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div>
<div><font face="Tahoma" size="2"></font> </div>
<div><font face="Arial" color="#000000" size="2">I have several tunnels up and operational on a old PIX-520 running 6.3(4)120</font></div>
<div> </div>
<div><font face="Arial"><font size="2">I want to establish a new tunnel, but I want to static xlate my inside address to a real world address, and <span><font color="#0000ff"> have the destination host see my traffic as sourced from the NAT'd address.
</font></span></font></font></div>
<div><font face="Arial"><font size="2"><span></span></font></font> </div>
<div><font face="Arial" size="2">So I've build a access-list for interesting traffic for the tunnel, built by static and have not specified the interesting traffic in my NAT-0 access-list that I use for other tunnels. <span>
<font color="#0000ff"> I've turned up </font></span>debug crypto isakmp <span><font color="#0000ff"> on the pix but </font></span>I don't see any initiation.</font></div>
<div><font face="Arial" color="#0000ff" size="2"></font> </div>
<div><font face="Arial" size="2">My inside host on interface DMZ is <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://172.0.255.15/" target="_blank">172.0.255.15</a> which is NAT'd to <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://216.26.153.12/" target="_blank">
216.26.153.12</a>.</font></div>
<div><font face="Arial" size="2"></font> </div>
<div><font face="Arial" size="2">So I want <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://172.0.255.15/" target="_blank">172.0.255.15</a> to connect to the remote host <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://172.30.21.216/" target="_blank">
172.30.21.216</a> presenting itself as sourced from the nat'd address <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://216.26.153.12/" target="_blank">216.26.153.12</a>.</font></div>
<div><font face="Arial" size="2"></font> </div>
<div><font face="Arial" size="2">Here is what I think is relevent.</font></div>
<div><font face="Arial" color="#0000ff" size="2"></font> </div>
<div>ip address outside <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://216.26.153.4/" target="_blank">216.26.153.4</a> <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://255.255.255.128/" target="_blank">
255.255.255.128</a><br>ip address dmz <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://172.0.255.1/" target="_blank">172.0.255.1</a> <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://255.255.255.0/" target="_blank">
255.255.255.0</a><span><font face="Arial" color="#0000ff" size="2"> </font></span></div>
<div><font face="Arial" color="#0000ff" size="2"></font> </div>
<div>access-list global-vpn permit ip host <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://216.26.153.12/" target="_blank">216.26.153.12</a> host <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://172.30.21.215/" target="_blank">
172.30.21.215</a><br> </div>
<div><span><font face="Arial" color="#0000ff" size="2"></font></span> </div>
<div>static (dmz,outside) <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://216.26.153.12/" target="_blank">216.26.153.12</a> <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://172.0.255.15/" target="_blank">
172.0.255.15</a> netmask <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://255.255.255.255/" target="_blank">255.255.255.255</a> 0 0<br> </div>
<div>sysopt connection permit-ipsec<br> </div>
<div><span><font face="Arial" color="#0000ff" size="2"></font></span> </div>
<div>crypto ipsec transform-set global-vpn esp-3des esp-md5-hmac<br> </div>
<div>crypto map outside 212 ipsec-isakmp<br>crypto map outside 212 match address global-vpn<br>crypto map outside 212 set peer not.my.real.ip </div>
<div>crypto map outside 212 set transform-set global-vpn<br> </div>
<div>crypto map outside interface outside</div>
<div><font face="Arial" color="#0000ff" size="2"></font> </div>
<div>isakmp enable outside<br>isakmp key ******** address not.my.real.ip netmask <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://255.255.255.255/" target="_blank">255.255.255.255</a><br>isakmp identity address
</div>
<div><font face="Arial" color="#0000ff" size="2"></font><font face="Arial" color="#0000ff" size="2"></font><font face="Arial" color="#0000ff" size="2"></font><br>isakmp policy 100 authentication pre-share<br>isakmp policy 100 encryption 3des
<br>isakmp policy 100 hash md5<br>isakmp policy 100 group 2<br>isakmp policy 100 lifetime 86400<br> </div>
<div><span><font face="Arial" color="#0000ff" size="2"></font></span> </div>
<div><span> </span>Any ideas, am I approaching this correctly with the static and not using nat0 for <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://216.26.153.12/" target="_blank">216.26.153.12</a>
<-><a onclick="return top.js.OpenExtLink(window,event,this)" href="http://172.30.21.215/" target="_blank">172.30.21.215</a>?</div>
<div><font face="Arial" color="#0000ff" size="2"></font> </div>
<div>Thanks for any suggestions.</div>
<div><font face="Arial" color="#0000ff" size="2"></font> </div>
<div>--mikej</div>
<div>Michael Jung</div>
<div><font face="Arial" color="#0000ff" size="2"></font> </div>
<div><font face="Arial" color="#0000ff" size="2"></font> </div></div><br>_______________________________________________<br>cisco-bba mailing list<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:cisco-bba@puck.nether.net" target="_blank">
cisco-bba@puck.nether.net</a><br><a onclick="return top.js.OpenExtLink(window,event,this)" href="https://puck.nether.net/mailman/listinfo/cisco-bba" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-bba</a><br>
<br><br></blockquote></div><br><br clear="all"><br>-- <br>Best Reagrds,<br>Mounir Mohamed </blockquote></span></div></div></blockquote></div><br><br clear="all"><br>-- <br>Best Reagrds,<br>Mounir Mohamed