Using NAT/VPN on PIX (Peer/Host External Addresses)

Discussion in 'Cisco' started by Ryan Casey, Feb 21, 2005.

  1. Ryan Casey

    Ryan Casey Guest

    NOTE: All addresses in the below configuration are external addresses.
    The VPN should be established using only these external addresses,
    _no_ internal network addresses.

    We are trying to configure a PIX firewall. The other end is at another
    company that allows many VPN's so they require two routeable (external)
    IP addresses, no internals allowed.

    We successfully set up a VPN with the PIX and a forward router. However,
    we are load balancing routers and would like to the entire VPN on the PIX.

    Below is a sketch (fake IPs, use fixed width font) of how we would like it to be.

    ------------------------------ --------------------- ------------------ -----------------
    | Internal Network 172.1.1.x | | PIX | | External Peer | | External Host |
    | | --> | NAT to | | | | |
    | | | Crypt | --> | | --> | |
    ------------------------------ --------------------- ------------------ -----------------

    If we have a router outside the PIX, we work fine. But trying to do it all on the PIX fails

    We had thought that it would go:

    NAT Translated to

    Tunnel Set Up from PIX ( to Remote Peer (

    Encrypt Packet

    Send Packet

    Decrypted on

    Packet forwarded to (NAT translated to remote internal if need be)

    Return packets should come back in reverse, being decrypted on the PIX and then NATted back
    to the internal network.

    This is not what is happening. We have other VPNs using internal local and remote addresses,
    and it is not failing. If we monitor the interface, we start seeing a Send Error for each
    packet that is attempted to be sent, and there is no tunnel ever established.

    What are we missing here? Attached at bottom is relevant config (I think), converted to the
    above ips.

    Thank you!
    Ryan Casey


    PIX Version 6.3(3)
    access-list MYNAT permit ip host
    access-list MYCrypto permit ip host host

    global (outside) 2

    nat (inside) 2 access-list MYNAT 0 0
    nat (inside) 1 0 0

    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

    crypto map vpnmap 50 ipsec-isakmp
    crypto map vpnmap 50 match address MYCrypto
    crypto map vpnmap 50 set peer
    crypto map vpnmap 50 set transform-set myset

    isakmp key ******** address netmask

    isakmp nat-traversal 20
    : end
    Ryan Casey, Feb 21, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.