Firewall Wizards mailing list archives
PIX TO PIX IPSEC w/ NAT on either side
From: "Paul Matuszewski" <paul () inofficenetworks com>
Date: Thu, 4 Mar 2004 00:04:28 -0500
Hey all, I have two networks, they're natted accordingly to get out to the net.. I have set up ipsec tunnels before, but this time I'm having difficulty. Situation two pix firewalls: 501, and a 506.. IPSEC between two networks Firewall 1 192.168.5.0 Firewall 2 192.168.0.0 Tunnel between the two, while allowing internet traffic to transverse through accordingly Thoughts? Advised: PIX1 Config: cirrus# write term Building configuration... : Saved : PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname cirrus clock timezone EST -5 clock summer-time EDT recurring fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names name 192.168.0.10 norad name 192.168.0.11 liquid name 192.168.5.10 falkor name 192.168.5.168 baker name addressofPIX1 cirrus name addressofpix2 chiquitita access-list outbound permit icmp any any access-list outbound permit ip host norad any access-list outbound permit ip host falkor any access-list outbound permit tcp host liquid any range 3000 4000 access-list outbound permit ip host baker any access-list outbound permit ip host 192.168.5.102 any access-list outbound permit ip host 192.168.5.148 any access-list inbound permit icmp any any access-list inbound permit ip any any access-list inbound permit tcp host norad any eq pop3 access-list inbound permit tcp host norad any eq smtp access-list inbound permit tcp host liquid any range 3000 4000 access-list tunnel permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list tunnel permit udp 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list tunnel permit icmp 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list outbound2 permit ip any any pager lines 24 interface ethernet0 10baset interface ethernet1 10full icmp permit any inside mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 192.168.5.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 192.168.1.0 255.255.255.0 inside pdm location falkor 255.255.255.255 inside pdm location 192.168.5.0 255.255.255.248 inside pdm location 192.168.5.0 255.255.255.248 outside pdm location 0.0.0.0 255.255.255.248 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list tunnel nat (inside) 1 192.168.5.0 255.255.255.0 0 0 static (inside,outside) tcp chiquitita 3390 liquid 3389 netmask 255.255.255.255 0 0 static (inside,outside) tcp chiquitita www falkor www netmask 255.255.255.255 0 0 static (inside,outside) tcp chiquitita smtp norad smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp cirrus 3391 falkor 3389 netmask 255.255.255.255 0 0 access-group inbound in interface outside access-group outbound in interface inside route outside 0.0.0.0 0.0.0.0 NEXTHOPROUTER 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 68.194.80.153 255.255.255.255 outside http 192.168.1.0 255.255.255.0 inside http falkor 255.255.255.255 inside http 192.168.2.10 255.255.255.255 inside snmp-server host inside falkor no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt noproxyarp outside sysopt noproxyarp inside no sysopt route dnat crypto ipsec transform-set woot esp-des esp-md5-hmac crypto map sequent 1 ipsec-isakmp crypto map sequent 1 match address tunnel crypto map sequent 1 set peer chiquitita crypto map sequent 1 set transform-set woot crypto map sequent interface outside isakmp enable outside isakmp key ******** address chiquitita netmask 255.255.255.255 isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 lifetime 1000 telnet 192.168.0.0 255.255.0.0 inside telnet timeout 5 Ssh commands omitted. ssh timeout 5 dhcpd auto_config outside terminal width 80 Cryptochecksum:4ba3f7426342b4c17e599c9aaef79307 : end [OK] PIX2: chiquitita(config)# write term Building configuration... : Saved : PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname chiquitita clock timezone EST -5 clock summer-time EDT recurring fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names name IPOPIX2 chiquitita name PIX1 cirrus access-list inbound permit tcp host 192.168.0.11 any range 3000 4000 access-list inbound permit icmp any any access-list inbound permit ip any any access-list inbound permit tcp host 192.168.0.10 any eq pop3 access-list inbound permit tcp host 192.168.0.10 any eq smtp access-list outbound permit icmp any any access-list outbound permit ip host 192.168.0.10 any access-list outbound permit tcp host 192.168.0.11 any range 3000 4000 access-list outbound permit tcp host 192.168.0.240 any eq https access-list outbound permit tcp host 192.168.0.240 any eq 8080 access-list outbound permit ip any any access-list tunnel permit ip 192.168.5.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list tunnel permit udp 192.168.5.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list tunnel permit icmp 192.168.5.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list outbound2 permit ip any any pager lines 24 icmp permit any inside mtu outside 1500 mtu inside 1500 ip address outside chiquitita 255.255.255.248 ip address inside 192.168.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list tunnel nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp chiquitita 3390 192.168.0.11 3389 netmask 255.255.255.255 0 0 access-group inbound in interface outside access-group outbound2 in interface inside route outside 0.0.0.0 0.0.0.0 NEXTHOPROUTER 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside http 192.168.1.10 255.255.255.255 inside http 192.168.0.11 255.255.255.255 inside http 192.168.5.10 255.255.255.255 inside http 192.168.2.10 255.255.255.255 inside snmp-server host inside 192.168.5.10 no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt noproxyarp outside sysopt noproxyarp inside crypto ipsec transform-set woot esp-des esp-md5-hmac crypto map sequent 1 ipsec-isakmp crypto map sequent 1 match address tunnel crypto map sequent 1 set peer cirrus crypto map sequent 1 set transform-set woot crypto map sequent interface outside isakmp enable outside isakmp key ******** address cirrus netmask 255.255.255.255 isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 lifetime 10000 telnet 192.168.0.0 255.255.0.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside terminal width 80 Cryptochecksum:9246d513a951d7b2112749854c95e87d : end [OK] Thanks, Paul _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX TO PIX IPSEC w/ NAT on either side Paul Matuszewski (Mar 04)
- <Possible follow-ups>
- RE: PIX TO PIX IPSEC w/ NAT on either side Melson, Paul (Mar 07)