Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX VPN and NAT pb with Cisco 3000 concentrator

Reply
Thread Tools

PIX VPN and NAT pb with Cisco 3000 concentrator

 
 
filip
Guest
Posts: n/a
 
      11-19-2003
hi

here is the pb :
inside server (192.168.30.2) -> pix inside -> pix outside (IP public)
<-------------> cisco 3000 concentrator (ip public) -> remote
host(192.168.50.2)

the vpn is established between pix outside and VPNconcentrator
this part is ok

Now, my inside server should connect to remote host. But The remote host
only accepts connections from one IP address : 192.168.40.2
I have to Nat my inside server address (192.168.30.2) to 192.168.40.2 in the
tunnel

here are the commands I've entered :

access-list 101 permit ip 192.168.30.2 255.255.255.255 192.168.50.2
255.255.255.255
static (inside,outside) 192.168.30.2 192.168.40.2 netmask 255.255.255.255 0
0
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address 101
crypto map vpn 10 set peer IPPublicVPNConcentrator
crypto map vpn 10 set transform-set myset
crypto map vpn interface outside
isakmp enable outside
isakmp key xxxxxxx address IPPublicVPNConcentrator netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 48000


But in the logs, I see that the nat translation doesn't work.
the inside server is still trying to connect with his ip address
(192.168.30.2) and not with the natted address (192.168.40.2)
LOGS :
IPSEC(key_engine): request timer fired: count = 1,
(identity) local= PixOutside, remote= IPPubVPNConcentrator,
local_proxy= 192.168.30.2/255.255.255.255/0/0 (type=4),
remote_proxy= 192.168.50.2/255.255.255.255/0/0 (type=1)

The local proxy should be 192.168.40.2


Where is the pb with this NAT ?

thanks


 
Reply With Quote
 
 
 
 
Gav Reid
Guest
Posts: n/a
 
      11-19-2003

"filip" <(E-Mail Removed)> wrote in message
news:bpfcao$smv$(E-Mail Removed)...
> hi
>
> here is the pb :
> inside server (192.168.30.2) -> pix inside -> pix outside (IP public)
> <-------------> cisco 3000 concentrator (ip public) -> remote
> host(192.168.50.2)
>
> the vpn is established between pix outside and VPNconcentrator
> this part is ok
>
> Now, my inside server should connect to remote host. But The remote host
> only accepts connections from one IP address : 192.168.40.2
> I have to Nat my inside server address (192.168.30.2) to 192.168.40.2 in

the
> tunnel
>
> here are the commands I've entered :
>
> access-list 101 permit ip 192.168.30.2 255.255.255.255 192.168.50.2
> 255.255.255.255
> static (inside,outside) 192.168.30.2 192.168.40.2 netmask 255.255.255.255

0
> 0
> crypto ipsec transform-set myset esp-3des esp-sha-hmac
> crypto map vpn 10 ipsec-isakmp
> crypto map vpn 10 match address 101
> crypto map vpn 10 set peer IPPublicVPNConcentrator
> crypto map vpn 10 set transform-set myset
> crypto map vpn interface outside
> isakmp enable outside
> isakmp key xxxxxxx address IPPublicVPNConcentrator netmask 255.255.255.255
> isakmp identity address
> isakmp policy 1 authentication pre-share
> isakmp policy 1 encryption 3des
> isakmp policy 1 hash sha
> isakmp policy 1 group 2
> isakmp policy 1 lifetime 48000
>
>
> But in the logs, I see that the nat translation doesn't work.
> the inside server is still trying to connect with his ip address
> (192.168.30.2) and not with the natted address (192.168.40.2)
> LOGS :
> IPSEC(key_engine): request timer fired: count = 1,
> (identity) local= PixOutside, remote= IPPubVPNConcentrator,
> local_proxy= 192.168.30.2/255.255.255.255/0/0 (type=4),
> remote_proxy= 192.168.50.2/255.255.255.255/0/0 (type=1)
>
> The local proxy should be 192.168.40.2
>
>
> Where is the pb with this NAT ?
>
> thanks
>
>


Believe NAT is completed before ACL is checked (can be corrected here)

> access-list 101 permit ip 192.168.30.2 255.255.255.255 192.168.50.2
> 255.255.255.255


access-list 101 permit ip 192.168.40.2 255.255.255.255 192.168.50.2
255.255.255.255


Dependent on your other NAT settings the following will work:

> static (inside,outside) 192.168.30.2 192.168.40.2 netmask 255.255.255.255

0
> 0


This states users on the outside interface of the PIX, connect to
192.168.30.2 and then the PIX redirects this to the internal interface on
192.168.40.2

nat (inside) 1 192.168.30.2 255.255.255.255 0 0
global (outside) 1 192.168.40.2



 
Reply With Quote
 
 
 
 
filip
Guest
Posts: n/a
 
      11-20-2003
it worked,

thank you



"Gav Reid" <(E-Mail Removed)> a écrit dans le message de
news:5mKub.9314$(E-Mail Removed)...
>
> "filip" <(E-Mail Removed)> wrote in message
> news:bpfcao$smv$(E-Mail Removed)...
> > hi
> >
> > here is the pb :
> > inside server (192.168.30.2) -> pix inside -> pix outside (IP public)
> > <-------------> cisco 3000 concentrator (ip public) -> remote
> > host(192.168.50.2)
> >
> > the vpn is established between pix outside and VPNconcentrator
> > this part is ok
> >
> > Now, my inside server should connect to remote host. But The remote host
> > only accepts connections from one IP address : 192.168.40.2
> > I have to Nat my inside server address (192.168.30.2) to 192.168.40.2 in

> the
> > tunnel
> >
> > here are the commands I've entered :
> >
> > access-list 101 permit ip 192.168.30.2 255.255.255.255 192.168.50.2
> > 255.255.255.255
> > static (inside,outside) 192.168.30.2 192.168.40.2 netmask

255.255.255.255
> 0
> > 0
> > crypto ipsec transform-set myset esp-3des esp-sha-hmac
> > crypto map vpn 10 ipsec-isakmp
> > crypto map vpn 10 match address 101
> > crypto map vpn 10 set peer IPPublicVPNConcentrator
> > crypto map vpn 10 set transform-set myset
> > crypto map vpn interface outside
> > isakmp enable outside
> > isakmp key xxxxxxx address IPPublicVPNConcentrator netmask

255.255.255.255
> > isakmp identity address
> > isakmp policy 1 authentication pre-share
> > isakmp policy 1 encryption 3des
> > isakmp policy 1 hash sha
> > isakmp policy 1 group 2
> > isakmp policy 1 lifetime 48000
> >
> >
> > But in the logs, I see that the nat translation doesn't work.
> > the inside server is still trying to connect with his ip address
> > (192.168.30.2) and not with the natted address (192.168.40.2)
> > LOGS :
> > IPSEC(key_engine): request timer fired: count = 1,
> > (identity) local= PixOutside, remote= IPPubVPNConcentrator,
> > local_proxy= 192.168.30.2/255.255.255.255/0/0 (type=4),
> > remote_proxy= 192.168.50.2/255.255.255.255/0/0 (type=1)
> >
> > The local proxy should be 192.168.40.2
> >
> >
> > Where is the pb with this NAT ?
> >
> > thanks
> >
> >

>
> Believe NAT is completed before ACL is checked (can be corrected here)
>
> > access-list 101 permit ip 192.168.30.2 255.255.255.255 192.168.50.2
> > 255.255.255.255

>
> access-list 101 permit ip 192.168.40.2 255.255.255.255 192.168.50.2
> 255.255.255.255
>
>
> Dependent on your other NAT settings the following will work:
>
> > static (inside,outside) 192.168.30.2 192.168.40.2 netmask

255.255.255.255
> 0
> > 0

>
> This states users on the outside interface of the PIX, connect to
> 192.168.30.2 and then the PIX redirects this to the internal interface on
> 192.168.40.2
>
> nat (inside) 1 192.168.30.2 255.255.255.255 0 0
> global (outside) 1 192.168.40.2
>
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX 506e to 3000 vpn concentrator jpbuse Cisco 1 02-28-2008 02:44 PM
cisco vpn connection to vpn concentrator 3000 not passing web traffic ricecs@gmail.com Cisco 1 08-22-2006 02:05 PM
VPN 3000 Concentrator and Microsoft VPN Client Eitan Cisco 0 03-05-2006 09:30 AM
Cisco VPN Client - wireless AP - Cisco 3000 concentrator Goggen Cisco 1 01-26-2006 09:16 AM
VPN Connection Problems between Cisco PIX 506E and Cisco VPN Concentrator 3005 Kai Cisco 0 02-15-2005 02:03 PM



Advertisments