[c-nsp] PIX: Source [NP]AT traffic from the other side of a tunnel. Possible?

David West david.h.west at gmail.com
Wed May 31 19:24:57 EDT 2006


Hmm, I've never tried the nat (outside) .... outside. This should work
though:

nat (outside) 1 access-list fromClient 0 0

Also, does your IPSec tunnel pass traffic without NAT? Do you have a "sysopt
connect permit-ipsec" in your config?

I have a similar config running at a several customer sites and I didn't use
the "outside" option in the nat setup.

It might be useful to grab a packet capture at the PIX using the "capture"
command. Sometimes I run a capture on both interfaces to see what's actually
getting transmitted off those interfaces.

-DW

On 5/31/06, Matt Stockdale <mstockda at logicworks.net> wrote:
>
> Sure -
>
> interface ethernet0 auto
> interface ethernet1 auto
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> access-list fromClient permit ip host 172.20.x.1 10.4.71.0 255.255.255.0
> access-list fromClient permit ip host 172.20.x.2 10.4.71.0 255.255.255.0
> .
> .
> .
> access-list fromClient permit ip host 172.20.x.100 10.4.71.0
> 255.255.255.0
>
> access-list toClient permit ip 10.4.71.0 255.255.255.0 host 172.20.x.1
> access-list toClient permit ip 10.4.71.0 255.255.255.0 host 172.20.x.2
> .
> .
> .
> access-list toClient permit ip 10.4.71.0 255.255.255.0 host 172.20.x.100
> ip address outside 206.x.y.x 255.255.255.224
> ip address inside 10.4.71.252 255.255.255.0
> global (inside) 1 interface
> nat (outside) 1 access-list fromClient outside 0 0
> route outside 0.0.0.0 0.0.0.0 206.x.y.1 1
> crypto ipsec transform-set strong esp-3des esp-sha-hmac
> crypto map toCustomer 20 ipsec-isakmp
> crypto map toCustomer 20 match address toClient
> crypto map toCustomer 20 set peer 65.x.y.z
> crypto map toCustomer 20 set transform-set strong
> crypto map toCustomer interface outside
> isakmp enable outside
> isakmp key ******** address 65.x.y.z netmask 255.255.255.255
> isakmp policy 9 authentication pre-share
> isakmp policy 9 encryption 3des
> isakmp policy 9 hash sha
> isakmp policy 9 group 1
> isakmp policy 9 lifetime 86400
>
> Thanks,
>   Matt
>
>
> On Wed, 2006-05-31 at 09:59 -0400, David West wrote:
> > What you're attempting should work. Is there an ACL somewhere that's
> > dropping the traffic? Could you post a more complete (sanitized)
> > config?
> >
> > On 5/30/06, Matt Stockdale <mstockda at logicworks.net> wrote:
> >         Whoops - I forgot to specify, PIX A is running 6.3(3), in
> >         which I
> >         believe that the nat (outside) ... outside feature is enabled.
> >
> >         On Tue, 2006-05-30 at 15:14 -0400, Matt Stockdale wrote:
> >         > Folks -
> >         >
> >         >   With the following setup
> >         >
> >         > 10.4.71.0/24------(inside)PIX
> >         A(outside)---------Internet----------(outside)PIX
> >         B(inside)--172.20.0.0/26
> >         >
> >         >   Is it possible to source NAT/PAT traffic from
> >         172.20.0.0/16 to
> >         > 10.4.71.0/24, such that it appears to be coming either from
> >         the inside
> >         > interface of PIX A itself, or a internal global NAT IP for
> >         this purpose?
> >         >
> >         >   My attempts so far have resulted in
> >         >
> >         >   %PIX-3-305005: No translation group found for icmp src
> >         outside:172.20.66.126 dst inside:10.4.71.254 (type 8, code 0)
> >         >
> >         > I've set up the "outside" nat config thusly
> >         >
> >         > nat (outside) 1 access-list fromClient outside
> >         >
> >         > where acl fromClient is multiple entries like
> >         >
> >         >   access-list fromClient permit ip host 172.20.66.116
> >         10.4.71.0 255.255.255.0
> >         >
> >         > for each host allowed over the tunnel.
> >         >
> >         > sh xlate detail looks "good".. (10.4.71.252 is PIX A,
> >         configured via global (inside) 1 interface)
> >         >
> >         > # sh xlate detail
> >         > 1 in use, 3 most used
> >         > Flags: D - DNS, d - dump, I - identity, i - inside, n - no
> >         random,
> >         >        o - outside, r - portmap, s - static
> >         > ICMP PAT from outside: 172.20.66.126/512 to
> >         inside(fromClient):10.4.71.252/1 flags ro
> >         >
> >         > I'm running a tcpdump on the target host, and it's not
> >         receiving any packets.
> >         >
> >         > Thoughts?
> >         >
> >         >
> >         > Thanks in advance
> >         >
> >         > Matt
> >         >
> >         >
> >         >
> >         >
> >         > _______________________________________________
> >         > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >         > https://puck.nether.net/mailman/listinfo/cisco-nsp
> >         > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >         >
> >         _______________________________________________
> >         cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >         https://puck.nether.net/mailman/listinfo/cisco-nsp
> >         archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> >
> > --
> > Progress isn't made by early risers. It's made by lazy men trying to
>


More information about the cisco-nsp mailing list