[c-nsp] question about natting ipsec traffic on pix 506E

Peter Rathlev peter at rathlev.dk
Thu Dec 1 03:29:12 EST 2011 

On Wed, 2011-11-30 at 20:01 -0500, dalton wrote:
> access-list client1 permit ip host 209.1.1.157 host 200.1.1.2  
> access-list client1 permit ip host 209.1.1.158 host 200.1.1.2  
> access-list EXCLUDE-NAT permit ip host 209.1.1.157 host 200.1.1.2
> access-list EXCLUDE-NAT permit ip host 209.1.1.158 host 200.1.1.2
> 
> nat (inside) 0 access-list EXCLUDE-NAT

Here you're saying that traffic coming in on the "inside" interface with
a source address of 209.1.1.{157,158} destined to 200.1.1.2 should not
be translated.

Those source addresses are globally routable addresses. Are you sure you
would expect to see those coming in on the inside interface? If so, the
next "static" statements don't make sense to me:

> static (inside,outside) 209.1.1.157 10.0.0.129 dns netmask 255.255.255.255 0 0
> static (inside,outside) 209.1.1.158 10.0.0.130 dns netmask 255.255.255.255 0 0

These statics translate traffic coming in on the "inside" interface with
source addresses 10.0.0.{129,130} to 209.1.1.{157,158}. And vice versa.
This configuration isn't impossible, but it's not highly intuitive
either.

> crypto map statmap 120 ipsec-isakmp
> crypto map statmap 120 match address client1
> crypto map statmap 120 set peer 200.1.1.1
> crypto map statmap 120 set pfs group2
> crypto map statmap 120 set transform-set strong
>    
> I want to nat the 10.0.0.129 and 130 traffic to 209.1.1.157/158 before
> it goes through the tunnel.
> 
> In the acl for interesting traffic do i want he real (private ips -
> 10.0.0.129) here? or the natted ips (209.1.1.157)?

Assuming the crypto map is applied to the "outside" interface, you would
use the translated IP addresses (209.1.1.{157,158}). The crypto stuff
happens after the NAT stuff (both static and global).

> Also, for my nat 0 list, do i want the that natted ip in there? or the
> real ips.

Why do you need the NAT-0 at all?

If you can accept that the hosts 10.0.0.{129,130} always have the
209.1.1.{157,158} addresses when trying to reach things on your outside
(Internet?) you just delete the policy-NAT related lines.

Or do these globally routable addresses belong to the other end of the
tunnel, so you need to only ever use them for traffic traversing the
tunnel?

By the way: Are these addresses the real ones? Or examples? If the
latter, you should generally try to use 192.0.2.0/24 (there are a few
others too) for examples. Otherwise the holders of 209.1.0.0/16 or
200.1.0.0/22 might find it strange to see their addresses used here. :-)

-- 
Peter

More information about the cisco-nsp mailing list