PIX VPN and NAT pb with Cisco 3000 concentrator

Discussion in 'Cisco' started by filip, Nov 19, 2003.

  1. filip

    filip Guest

    hi

    here is the pb :
    inside server (192.168.30.2) -> pix inside -> pix outside (IP public)
    <-------------> cisco 3000 concentrator (ip public) -> remote
    host(192.168.50.2)

    the vpn is established between pix outside and VPNconcentrator
    this part is ok

    Now, my inside server should connect to remote host. But The remote host
    only accepts connections from one IP address : 192.168.40.2
    I have to Nat my inside server address (192.168.30.2) to 192.168.40.2 in the
    tunnel

    here are the commands I've entered :

    access-list 101 permit ip 192.168.30.2 255.255.255.255 192.168.50.2
    255.255.255.255
    static (inside,outside) 192.168.30.2 192.168.40.2 netmask 255.255.255.255 0
    0
    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    crypto map vpn 10 ipsec-isakmp
    crypto map vpn 10 match address 101
    crypto map vpn 10 set peer IPPublicVPNConcentrator
    crypto map vpn 10 set transform-set myset
    crypto map vpn interface outside
    isakmp enable outside
    isakmp key xxxxxxx address IPPublicVPNConcentrator netmask 255.255.255.255
    isakmp identity address
    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption 3des
    isakmp policy 1 hash sha
    isakmp policy 1 group 2
    isakmp policy 1 lifetime 48000


    But in the logs, I see that the nat translation doesn't work.
    the inside server is still trying to connect with his ip address
    (192.168.30.2) and not with the natted address (192.168.40.2)
    LOGS :
    IPSEC(key_engine): request timer fired: count = 1,
    (identity) local= PixOutside, remote= IPPubVPNConcentrator,
    local_proxy= 192.168.30.2/255.255.255.255/0/0 (type=4),
    remote_proxy= 192.168.50.2/255.255.255.255/0/0 (type=1)

    The local proxy should be 192.168.40.2


    Where is the pb with this NAT ?

    thanks
     
    filip, Nov 19, 2003
    #1
    1. Advertisements

  2. filip

    Gav Reid Guest

    Believe NAT is completed before ACL is checked (can be corrected here)
    access-list 101 permit ip 192.168.40.2 255.255.255.255 192.168.50.2
    255.255.255.255


    Dependent on your other NAT settings the following will work:
    This states users on the outside interface of the PIX, connect to
    192.168.30.2 and then the PIX redirects this to the internal interface on
    192.168.40.2

    nat (inside) 1 192.168.30.2 255.255.255.255 0 0
    global (outside) 1 192.168.40.2
     
    Gav Reid, Nov 19, 2003
    #2
    1. Advertisements

  3. filip

    filip Guest

    it worked,

    thank you



     
    filip, Nov 20, 2003
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.