Using NAT/VPN on PIX (Peer/Host External Addresses)

Discussion in 'Cisco' started by Ryan Casey, Feb 21, 2005.

  1. Ryan Casey

    Ryan Casey Guest

    NOTE: All addresses in the below configuration are external addresses.
    The VPN should be established using only these external addresses,
    _no_ internal network addresses.

    We are trying to configure a PIX firewall. The other end is at another
    company that allows many VPN's so they require two routeable (external)
    IP addresses, no internals allowed.

    We successfully set up a VPN with the PIX and a forward router. However,
    we are load balancing routers and would like to the entire VPN on the PIX.

    Below is a sketch (fake IPs, use fixed width font) of how we would like it to be.

    ------------------------------ --------------------- ------------------ -----------------
    | Internal Network 172.1.1.x | | PIX 67.2.2.222 | | External Peer | | External Host |
    | | --> | NAT to 67.2.2.2 | | | | |
    | | | Crypt | --> | 157.3.3.3 | --> | 160.4.4.4 |
    ------------------------------ --------------------- ------------------ -----------------

    If we have a router outside the PIX, we work fine. But trying to do it all on the PIX fails

    We had thought that it would go:
    From: 172.1.1.100
    To: 160.4.4.4

    NAT Translated to
    From: 67.2.2.2
    To: 160.4.4.4

    Tunnel Set Up from PIX (67.2.2.222) to Remote Peer (157.3.3.3)

    Encrypt Packet

    Send Packet

    Decrypted on 157.3.3.3
    From: 67.2.2.2
    To: 160.4.4.4

    Packet forwarded to 160.4.4.4 (NAT translated to remote internal if need be)


    Return packets should come back in reverse, being decrypted on the PIX and then NATted back
    to the internal network.

    This is not what is happening. We have other VPNs using internal local and remote addresses,
    and it is not failing. If we monitor the interface, we start seeing a Send Error for each
    packet that is attempted to be sent, and there is no tunnel ever established.

    What are we missing here? Attached at bottom is relevant config (I think), converted to the
    above ips.


    Thank you!
    Ryan Casey


    -------------

    PIX Version 6.3(3)
    access-list MYNAT permit ip 172.1.1.0 255.255.255.0 host 160.4.4.4
    access-list MYCrypto permit ip host 67.2.2.2 host 160.4.4.4

    global (outside) 2 67.2.2.2

    nat (inside) 2 access-list MYNAT 0 0
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

    crypto map vpnmap 50 ipsec-isakmp
    crypto map vpnmap 50 match address MYCrypto
    crypto map vpnmap 50 set peer 157.3.3.3
    crypto map vpnmap 50 set transform-set myset

    isakmp key ******** address 157.3.3.3 netmask 255.255.255.255

    isakmp nat-traversal 20
    : end
     
    Ryan Casey, Feb 21, 2005
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.