[c-nsp] PIX: Source [NP]AT traffic from the other side of a tunnel. Possible?
Matt Stockdale
mstockda at logicworks.net
Wed May 31 11:10:46 EDT 2006
Sure -
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list fromClient permit ip host 172.20.x.1 10.4.71.0 255.255.255.0
access-list fromClient permit ip host 172.20.x.2 10.4.71.0 255.255.255.0
.
.
.
access-list fromClient permit ip host 172.20.x.100 10.4.71.0
255.255.255.0
access-list toClient permit ip 10.4.71.0 255.255.255.0 host 172.20.x.1
access-list toClient permit ip 10.4.71.0 255.255.255.0 host 172.20.x.2
.
.
.
access-list toClient permit ip 10.4.71.0 255.255.255.0 host 172.20.x.100
ip address outside 206.x.y.x 255.255.255.224
ip address inside 10.4.71.252 255.255.255.0
global (inside) 1 interface
nat (outside) 1 access-list fromClient outside 0 0
route outside 0.0.0.0 0.0.0.0 206.x.y.1 1
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map toCustomer 20 ipsec-isakmp
crypto map toCustomer 20 match address toClient
crypto map toCustomer 20 set peer 65.x.y.z
crypto map toCustomer 20 set transform-set strong
crypto map toCustomer interface outside
isakmp enable outside
isakmp key ******** address 65.x.y.z netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
Thanks,
Matt
On Wed, 2006-05-31 at 09:59 -0400, David West wrote:
> What you're attempting should work. Is there an ACL somewhere that's
> dropping the traffic? Could you post a more complete (sanitized)
> config?
>
> On 5/30/06, Matt Stockdale <mstockda at logicworks.net> wrote:
> Whoops - I forgot to specify, PIX A is running 6.3(3), in
> which I
> believe that the nat (outside) ... outside feature is enabled.
>
> On Tue, 2006-05-30 at 15:14 -0400, Matt Stockdale wrote:
> > Folks -
> >
> > With the following setup
> >
> > 10.4.71.0/24------(inside)PIX
> A(outside)---------Internet----------(outside)PIX
> B(inside)--172.20.0.0/26
> >
> > Is it possible to source NAT/PAT traffic from
> 172.20.0.0/16 to
> > 10.4.71.0/24, such that it appears to be coming either from
> the inside
> > interface of PIX A itself, or a internal global NAT IP for
> this purpose?
> >
> > My attempts so far have resulted in
> >
> > %PIX-3-305005: No translation group found for icmp src
> outside:172.20.66.126 dst inside:10.4.71.254 (type 8, code 0)
> >
> > I've set up the "outside" nat config thusly
> >
> > nat (outside) 1 access-list fromClient outside
> >
> > where acl fromClient is multiple entries like
> >
> > access-list fromClient permit ip host 172.20.66.116
> 10.4.71.0 255.255.255.0
> >
> > for each host allowed over the tunnel.
> >
> > sh xlate detail looks "good".. (10.4.71.252 is PIX A,
> configured via global (inside) 1 interface)
> >
> > # sh xlate detail
> > 1 in use, 3 most used
> > Flags: D - DNS, d - dump, I - identity, i - inside, n - no
> random,
> > o - outside, r - portmap, s - static
> > ICMP PAT from outside: 172.20.66.126/512 to
> inside(fromClient):10.4.71.252/1 flags ro
> >
> > I'm running a tcpdump on the target host, and it's not
> receiving any packets.
> >
> > Thoughts?
> >
> >
> > Thanks in advance
> >
> > Matt
> >
> >
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
> --
> Progress isn't made by early risers. It's made by lazy men trying to
> find easier ways to do something.
> - Robert Heinlein
More information about the cisco-nsp
mailing list