PIX VPN and NAT pb with Cisco 3000 concentrator

Discussion in 'Cisco' started by filip, Nov 19, 2003.

  1. filip

    filip Guest

    hi

    here is the pb :
    inside server (192.168.30.2) -> pix inside -> pix outside (IP public)
    <-------------> cisco 3000 concentrator (ip public) -> remote
    host(192.168.50.2)

    the vpn is established between pix outside and VPNconcentrator
    this part is ok

    Now, my inside server should connect to remote host. But The remote host
    only accepts connections from one IP address : 192.168.40.2
    I have to Nat my inside server address (192.168.30.2) to 192.168.40.2 in the
    tunnel

    here are the commands I've entered :

    access-list 101 permit ip 192.168.30.2 255.255.255.255 192.168.50.2
    255.255.255.255
    static (inside,outside) 192.168.30.2 192.168.40.2 netmask 255.255.255.255 0
    0
    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    crypto map vpn 10 ipsec-isakmp
    crypto map vpn 10 match address 101
    crypto map vpn 10 set peer IPPublicVPNConcentrator
    crypto map vpn 10 set transform-set myset
    crypto map vpn interface outside
    isakmp enable outside
    isakmp key xxxxxxx address IPPublicVPNConcentrator netmask 255.255.255.255
    isakmp identity address
    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption 3des
    isakmp policy 1 hash sha
    isakmp policy 1 group 2
    isakmp policy 1 lifetime 48000


    But in the logs, I see that the nat translation doesn't work.
    the inside server is still trying to connect with his ip address
    (192.168.30.2) and not with the natted address (192.168.40.2)
    LOGS :
    IPSEC(key_engine): request timer fired: count = 1,
    (identity) local= PixOutside, remote= IPPubVPNConcentrator,
    local_proxy= 192.168.30.2/255.255.255.255/0/0 (type=4),
    remote_proxy= 192.168.50.2/255.255.255.255/0/0 (type=1)

    The local proxy should be 192.168.40.2


    Where is the pb with this NAT ?

    thanks
    filip, Nov 19, 2003
    #1
    1. Advertising

  2. filip

    Gav Reid Guest

    "filip" <> wrote in message
    news:bpfcao$smv$...
    > hi
    >
    > here is the pb :
    > inside server (192.168.30.2) -> pix inside -> pix outside (IP public)
    > <-------------> cisco 3000 concentrator (ip public) -> remote
    > host(192.168.50.2)
    >
    > the vpn is established between pix outside and VPNconcentrator
    > this part is ok
    >
    > Now, my inside server should connect to remote host. But The remote host
    > only accepts connections from one IP address : 192.168.40.2
    > I have to Nat my inside server address (192.168.30.2) to 192.168.40.2 in

    the
    > tunnel
    >
    > here are the commands I've entered :
    >
    > access-list 101 permit ip 192.168.30.2 255.255.255.255 192.168.50.2
    > 255.255.255.255
    > static (inside,outside) 192.168.30.2 192.168.40.2 netmask 255.255.255.255

    0
    > 0
    > crypto ipsec transform-set myset esp-3des esp-sha-hmac
    > crypto map vpn 10 ipsec-isakmp
    > crypto map vpn 10 match address 101
    > crypto map vpn 10 set peer IPPublicVPNConcentrator
    > crypto map vpn 10 set transform-set myset
    > crypto map vpn interface outside
    > isakmp enable outside
    > isakmp key xxxxxxx address IPPublicVPNConcentrator netmask 255.255.255.255
    > isakmp identity address
    > isakmp policy 1 authentication pre-share
    > isakmp policy 1 encryption 3des
    > isakmp policy 1 hash sha
    > isakmp policy 1 group 2
    > isakmp policy 1 lifetime 48000
    >
    >
    > But in the logs, I see that the nat translation doesn't work.
    > the inside server is still trying to connect with his ip address
    > (192.168.30.2) and not with the natted address (192.168.40.2)
    > LOGS :
    > IPSEC(key_engine): request timer fired: count = 1,
    > (identity) local= PixOutside, remote= IPPubVPNConcentrator,
    > local_proxy= 192.168.30.2/255.255.255.255/0/0 (type=4),
    > remote_proxy= 192.168.50.2/255.255.255.255/0/0 (type=1)
    >
    > The local proxy should be 192.168.40.2
    >
    >
    > Where is the pb with this NAT ?
    >
    > thanks
    >
    >


    Believe NAT is completed before ACL is checked (can be corrected here)

    > access-list 101 permit ip 192.168.30.2 255.255.255.255 192.168.50.2
    > 255.255.255.255


    access-list 101 permit ip 192.168.40.2 255.255.255.255 192.168.50.2
    255.255.255.255


    Dependent on your other NAT settings the following will work:

    > static (inside,outside) 192.168.30.2 192.168.40.2 netmask 255.255.255.255

    0
    > 0


    This states users on the outside interface of the PIX, connect to
    192.168.30.2 and then the PIX redirects this to the internal interface on
    192.168.40.2

    nat (inside) 1 192.168.30.2 255.255.255.255 0 0
    global (outside) 1 192.168.40.2
    Gav Reid, Nov 19, 2003
    #2
    1. Advertising

  3. filip

    filip Guest

    it worked,

    thank you



    "Gav Reid" <> a écrit dans le message de
    news:5mKub.9314$...
    >
    > "filip" <> wrote in message
    > news:bpfcao$smv$...
    > > hi
    > >
    > > here is the pb :
    > > inside server (192.168.30.2) -> pix inside -> pix outside (IP public)
    > > <-------------> cisco 3000 concentrator (ip public) -> remote
    > > host(192.168.50.2)
    > >
    > > the vpn is established between pix outside and VPNconcentrator
    > > this part is ok
    > >
    > > Now, my inside server should connect to remote host. But The remote host
    > > only accepts connections from one IP address : 192.168.40.2
    > > I have to Nat my inside server address (192.168.30.2) to 192.168.40.2 in

    > the
    > > tunnel
    > >
    > > here are the commands I've entered :
    > >
    > > access-list 101 permit ip 192.168.30.2 255.255.255.255 192.168.50.2
    > > 255.255.255.255
    > > static (inside,outside) 192.168.30.2 192.168.40.2 netmask

    255.255.255.255
    > 0
    > > 0
    > > crypto ipsec transform-set myset esp-3des esp-sha-hmac
    > > crypto map vpn 10 ipsec-isakmp
    > > crypto map vpn 10 match address 101
    > > crypto map vpn 10 set peer IPPublicVPNConcentrator
    > > crypto map vpn 10 set transform-set myset
    > > crypto map vpn interface outside
    > > isakmp enable outside
    > > isakmp key xxxxxxx address IPPublicVPNConcentrator netmask

    255.255.255.255
    > > isakmp identity address
    > > isakmp policy 1 authentication pre-share
    > > isakmp policy 1 encryption 3des
    > > isakmp policy 1 hash sha
    > > isakmp policy 1 group 2
    > > isakmp policy 1 lifetime 48000
    > >
    > >
    > > But in the logs, I see that the nat translation doesn't work.
    > > the inside server is still trying to connect with his ip address
    > > (192.168.30.2) and not with the natted address (192.168.40.2)
    > > LOGS :
    > > IPSEC(key_engine): request timer fired: count = 1,
    > > (identity) local= PixOutside, remote= IPPubVPNConcentrator,
    > > local_proxy= 192.168.30.2/255.255.255.255/0/0 (type=4),
    > > remote_proxy= 192.168.50.2/255.255.255.255/0/0 (type=1)
    > >
    > > The local proxy should be 192.168.40.2
    > >
    > >
    > > Where is the pb with this NAT ?
    > >
    > > thanks
    > >
    > >

    >
    > Believe NAT is completed before ACL is checked (can be corrected here)
    >
    > > access-list 101 permit ip 192.168.30.2 255.255.255.255 192.168.50.2
    > > 255.255.255.255

    >
    > access-list 101 permit ip 192.168.40.2 255.255.255.255 192.168.50.2
    > 255.255.255.255
    >
    >
    > Dependent on your other NAT settings the following will work:
    >
    > > static (inside,outside) 192.168.30.2 192.168.40.2 netmask

    255.255.255.255
    > 0
    > > 0

    >
    > This states users on the outside interface of the PIX, connect to
    > 192.168.30.2 and then the PIX redirects this to the internal interface on
    > 192.168.40.2
    >
    > nat (inside) 1 192.168.30.2 255.255.255.255 0 0
    > global (outside) 1 192.168.40.2
    >
    >
    >
    filip, Nov 20, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kai
    Replies:
    0
    Views:
    7,626
  2. Goggen
    Replies:
    1
    Views:
    1,023
    Uli Link
    Jan 26, 2006
  3. Eitan
    Replies:
    0
    Views:
    503
    Eitan
    Mar 5, 2006
  4. Replies:
    1
    Views:
    806
    James
    Aug 22, 2006
  5. jpbuse
    Replies:
    1
    Views:
    382
    Greeley
    Feb 28, 2008
Loading...

Share This Page