Cisco 506 : VPN issues - NAT, PAT or access-list?

Discussion in 'Cisco' started by Paul Emond, Oct 23, 2003.

  1. Paul Emond

    Paul Emond Guest

    Hi everyone. I've been going a little crazy trying to get something
    that seems pretty simple to work on a PIX 506. FYI, I've upgraded to
    PIX Version 6.3(3) and my remote VPN clients are using Cisco Client
    v.3.6.3.

    What I'm trying to accomplish is to have incoming VPN and outgoing
    internet working at the same time. Sounds easy, but I can't get the
    two to co-exist. I'm convinced that it's related to my NAT / PAT
    configuration. Here's the relevant parts of my config file ...

    PIX Version 6.3(3)
    access-list 101 permit ip 10.185.16.0 255.255.255.0 any
    ip local pool remote 10.185.16.190-10.185.16.199
    nat (inside) 0 access-list 101
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address
    outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup vpn3000 address-pool remote
    vpngroup vpn3000 dns-server X.X.X.X
    vpngroup vpn3000 idle-time 1800
    vpngroup vpn3000 password X
    : end

    I can get the remote VPN clients to work at points, but that breaks my
    ability to see the outside world with PAT. I can get the PAT working
    properly, but that breaks my remote VPN clients by not allowing them
    to see any of the internal network. Any ideas? Someone suggested it
    might be an access-list problem. Any help would be much appreciated
    since I've been struggling with this for 18 hours so far.

    Paul.
    Paul Emond, Oct 23, 2003
    #1
    1. Advertising

  2. In article <>,
    Paul Emond <> wrote:
    :Hi everyone. I've been going a little crazy trying to get something
    :that seems pretty simple to work on a PIX 506. FYI, I've upgraded to
    :pIX Version 6.3(3) and my remote VPN clients are using Cisco Client
    :v.3.6.3.

    :What I'm trying to accomplish is to have incoming VPN and outgoing
    :internet working at the same time. Sounds easy, but I can't get the
    :two to co-exist. I'm convinced that it's related to my NAT / PAT
    :configuration. Here's the relevant parts of my config file ...

    :crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

    What's in the access list outside_cryptomap_dyn_20 ?

    Are you showing us the saved configuration or the running configuration?
    Is outside_cryptomap_dyn_20 something you configured or is it
    a dynamic ACL generated by the PIX?

    :access-list 101 permit ip 10.185.16.0 255.255.255.0 any
    :ip local pool remote 10.185.16.190-10.185.16.199
    :nat (inside) 0 access-list 101

    :vpngroup vpn3000 address-pool remote

    Your nat 0 ACL overlaps your vpn address pool.

    You do not show us anything about the inside or outside address
    range, or anything about your global statements.

    My suspicion would be that you are using the address range 10.185.16/24
    inside as well somehow, and that you are getting a bad routing interaction.
    When the VPN is built, it's possibly routing all of 10.186.16/24
    through the tunnel.

    My first pass suggestion would be to remove the 'match address'
    clause from your dynamic map and remove the nat 0.
    --
    "No one has the right to destroy another person's belief by
    demanding empirical evidence." -- Ann Landers
    Walter Roberson, Oct 23, 2003
    #2
    1. Advertising

  3. Paul Emond

    Chris Guest

    Paul Emond wrote:

    > Hi everyone. I've been going a little crazy trying to get something
    > that seems pretty simple to work on a PIX 506. FYI, I've upgraded to
    > PIX Version 6.3(3) and my remote VPN clients are using Cisco Client
    > v.3.6.3.
    >
    > What I'm trying to accomplish is to have incoming VPN and outgoing
    > internet working at the same time. Sounds easy, but I can't get the
    > two to co-exist. I'm convinced that it's related to my NAT / PAT
    > configuration. Here's the relevant parts of my config file ...
    >
    > PIX Version 6.3(3)
    > access-list 101 permit ip 10.185.16.0 255.255.255.0 any
    > ip local pool remote 10.185.16.190-10.185.16.199
    > nat (inside) 0 access-list 101
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
    > sysopt connection permit-ipsec
    > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    > crypto dynamic-map outside_dyn_map 20 match address
    > outside_cryptomap_dyn_20
    > crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    > crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    > crypto map outside_map interface outside
    > isakmp enable outside
    > isakmp policy 20 authentication pre-share
    > isakmp policy 20 encryption 3des
    > isakmp policy 20 hash md5
    > isakmp policy 20 group 2
    > isakmp policy 20 lifetime 86400
    > vpngroup vpn3000 address-pool remote
    > vpngroup vpn3000 dns-server X.X.X.X
    > vpngroup vpn3000 idle-time 1800
    > vpngroup vpn3000 password X
    > : end
    >
    > I can get the remote VPN clients to work at points, but that breaks my
    > ability to see the outside world with PAT. I can get the PAT working
    > properly, but that breaks my remote VPN clients by not allowing them
    > to see any of the internal network. Any ideas? Someone suggested it
    > might be an access-list problem. Any help would be much appreciated
    > since I've been struggling with this for 18 hours so far.
    >
    > Paul.

    The issue is you need to split the dns server searches with this command:
    vpngroup vpn3000 split-tunnel 101 (101 is the access-list obviously)

    other suggestions are to tighter control change:
    1. access-list 101 permit ip 10.185.16.0 255.255.255.0 any to
    access-list 101 permit ip 10.185.16.0 255.255.255.0 10.185.17.192
    255.255.255.240 (this will give you 14 usable ip's you can always change
    the subnet to expand for more ip's)
    2. ip local pool remote 10.185.16.190-10.185.16.199 to ip local pool remote
    10.185.16.193-10.185.16.206 (anyone care to comment if local pool follows
    subnetting- I have always used the subnetting convention that the first and
    last ip in the network are allocated and never tried using all ip's in the
    subnet)

    the last thing might be to use some other type of authentication such as
    TACACS+ or a radius server or windows IAS to have one more step in
    security; with this a user will have to not only enter the preshare key and
    group (which will be done only once during setup of the client) but also
    the user will be asked for a username and password at the end of Phase 1
    every time they log into the vpn before phase 2 is launched and granted
    access into the network.

    also setup nat traversal with the command
    isakmp nat-traversal 3600

    Good luck and enjoy

    CR
    --
    just remove the nospam in my email address
    Chris, Oct 24, 2003
    #3
  4. Paul Emond

    Chris Guest

    Paul Emond wrote:

    > Hi everyone. I've been going a little crazy trying to get something
    > that seems pretty simple to work on a PIX 506. FYI, I've upgraded to
    > PIX Version 6.3(3) and my remote VPN clients are using Cisco Client
    > v.3.6.3.
    >
    > What I'm trying to accomplish is to have incoming VPN and outgoing
    > internet working at the same time. Sounds easy, but I can't get the
    > two to co-exist. I'm convinced that it's related to my NAT / PAT
    > configuration. Here's the relevant parts of my config file ...
    >
    > PIX Version 6.3(3)
    > access-list 101 permit ip 10.185.16.0 255.255.255.0 any
    > ip local pool remote 10.185.16.190-10.185.16.199
    > nat (inside) 0 access-list 101
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
    > sysopt connection permit-ipsec
    > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    > crypto dynamic-map outside_dyn_map 20 match address
    > outside_cryptomap_dyn_20
    > crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    > crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    > crypto map outside_map interface outside
    > isakmp enable outside
    > isakmp policy 20 authentication pre-share
    > isakmp policy 20 encryption 3des
    > isakmp policy 20 hash md5
    > isakmp policy 20 group 2
    > isakmp policy 20 lifetime 86400
    > vpngroup vpn3000 address-pool remote
    > vpngroup vpn3000 dns-server X.X.X.X
    > vpngroup vpn3000 idle-time 1800
    > vpngroup vpn3000 password X
    > : end
    >
    > I can get the remote VPN clients to work at points, but that breaks my
    > ability to see the outside world with PAT. I can get the PAT working
    > properly, but that breaks my remote VPN clients by not allowing them
    > to see any of the internal network. Any ideas? Someone suggested it
    > might be an access-list problem. Any help would be much appreciated
    > since I've been struggling with this for 18 hours so far.
    >
    > Paul.

    btw forgot in my haste about the crypto dynamic-map outside_dyn_map 20 match
    address
    outside_cryptomap_dyn_20 needs to point to an access list so it should be
    crypto dynamic-map outside_dyn_map 20 match address 101

    the global statement for PAT might look something like this
    global (outside) 1 x.x.x.7
    --
    just remove the nospam in my email address
    Chris, Oct 24, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Matthew Melbourne
    Replies:
    2
    Views:
    7,342
    Matthew Melbourne
    Feb 12, 2005
  2. BinSur
    Replies:
    4
    Views:
    5,805
    BinSur
    Jan 13, 2006
  3. spec
    Replies:
    2
    Views:
    1,443
    Walter Roberson
    May 25, 2006
  4. Steven Carr
    Replies:
    7
    Views:
    756
  5. mmark751969

    pix 506 nat or pat

    mmark751969, Aug 6, 2009, in forum: Cisco
    Replies:
    3
    Views:
    771
    mmark751969
    Aug 6, 2009
Loading...

Share This Page