PIX: IPSec between overlapping subnets and "dns" keyword

Discussion in 'Cisco' started by Oleg Tipisov, Aug 10, 2004.

  1. Oleg Tipisov

    Oleg Tipisov Guest

    Hi!

    I'm trying to configure IPSec between two sites with overlapping
    subnets 192.168.1.0/24. There is a requirement to configure both
    inside and outside static NAT on the same PIX. Also, both local and
    remote hosts in overlapping networks should be able to initiate
    connections.

    PIX1(config)# sh static
    static (outside,inside) 192.168.2.0 192.168.1.0 dns netmask
    255.255.255.0 0 0
    static (inside,outside) 192.168.3.0 192.168.1.0 netmask 255.255.255.0
    0 0

    This setup works well if I ping remote host by IP address:

    R4-192.168.1.4# ping 192.168.2.1

    On the PIX:

    PIX1(config)# sh xlate detail
    2 in use, 7 most used
    Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,
    o - outside, r - portmap, s - static
    NAT from outside:192.168.1.1 to inside:192.168.2.1 flags sD
    NAT from inside:192.168.1.4 to outside:192.168.3.4 flags s

    Unfortunately it doesn't work if I try to ping via hostname. The
    problem is that DNS payload is *not* translated. The remote DNS server
    192.168.1.254 answer is 192.168.1.1. It is *not* translated to
    192.168.2.1 (note the "dns" keyword in the "static" above).

    If I add the static route:

    PIX1(config)# route outside 192.168.1.1 255.255.255.255 172.16.1.3

    it starts working:

    R4-192.168.1.4# ping r1.test

    On the PIX:

    PIX1(config)# sh xlate detail
    3 in use, 7 most used
    Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,
    o - outside, r - portmap, s - static
    NAT from outside:192.168.1.254 to inside:192.168.2.254 flags sD
    NAT from outside:192.168.1.1 to inside:192.168.2.1 flags sD
    NAT from inside:192.168.1.4 to outside:192.168.3.4 flags s

    The DNS payload is translated, but the static route breaks local
    connectivity, i.e. it is not possible now to have local inside host
    192.168.1.1.

    Could anybody shed some light on this and give me working example with
    DNS payload translation? It seems that "dns" keyword is broken in
    "static" command in all PIX OS versions 6.2 - 6.3(4).

    Thx
     
    Oleg Tipisov, Aug 10, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Oleg Tipisov

    IOS: IPSec between overlapping subnets

    Oleg Tipisov, Aug 10, 2004, in forum: Cisco
    Replies:
    1
    Views:
    3,663
  2. Evolution
    Replies:
    1
    Views:
    1,130
  3. J
    Replies:
    0
    Views:
    792
  4. jfinley
    Replies:
    1
    Views:
    2,413
    Akilla21
    Nov 4, 2010
  5. jayteezer
    Replies:
    1
    Views:
    1,439
    bod43
    May 23, 2010
Loading...

Share This Page