Firewall Wizards mailing list archives

PIX TO PIX IPSEC w/ NAT on either side

From: "Paul Matuszewski" <paul () inofficenetworks com>
Date: Thu, 4 Mar 2004 00:04:28 -0500
Hey all,
I have two networks, they're natted accordingly to get out to the net..
I have set up ipsec tunnels before, but this time I'm having difficulty.
Situation two pix firewalls: 501, and a 506.. IPSEC between two networks
Firewall 1 192.168.5.0
Firewall 2 192.168.0.0

Tunnel between the two, while allowing internet traffic to transverse
through accordingly

Thoughts? 


Advised:
PIX1 Config:
cirrus# write term
Building configuration...
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname cirrus
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.0.10 norad
name 192.168.0.11 liquid
name 192.168.5.10 falkor
name 192.168.5.168 baker
name addressofPIX1 cirrus
name addressofpix2 chiquitita
access-list outbound permit icmp any any 
access-list outbound permit ip host norad any 
access-list outbound permit ip host falkor any 
access-list outbound permit tcp host liquid any range 3000 4000 
access-list outbound permit ip host baker any 
access-list outbound permit ip host 192.168.5.102 any 
access-list outbound permit ip host 192.168.5.148 any 
access-list inbound permit icmp any any 
access-list inbound permit ip any any 
access-list inbound permit tcp host norad any eq pop3 
access-list inbound permit tcp host norad any eq smtp 
access-list inbound permit tcp host liquid any range 3000 4000 
access-list tunnel permit ip 192.168.0.0 255.255.255.0 192.168.5.0
255.255.255.0 
access-list tunnel permit udp 192.168.0.0 255.255.255.0 192.168.5.0
255.255.255.0 
access-list tunnel permit icmp 192.168.0.0 255.255.255.0 192.168.5.0
255.255.255.0 
access-list outbound2 permit ip any any 
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.0 inside
pdm location falkor 255.255.255.255 inside
pdm location 192.168.5.0 255.255.255.248 inside
pdm location 192.168.5.0 255.255.255.248 outside
pdm location 0.0.0.0 255.255.255.248 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list tunnel
nat (inside) 1 192.168.5.0 255.255.255.0 0 0
static (inside,outside) tcp chiquitita 3390 liquid 3389 netmask
255.255.255.255 0 0 
static (inside,outside) tcp chiquitita www falkor www netmask
255.255.255.255 0 0 
static (inside,outside) tcp chiquitita smtp norad smtp netmask
255.255.255.255 0 0 
static (inside,outside) tcp cirrus 3391 falkor 3389 netmask
255.255.255.255 0 0 
access-group inbound in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 NEXTHOPROUTER 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 
http server enable
http 68.194.80.153 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
http falkor 255.255.255.255 inside
http 192.168.2.10 255.255.255.255 inside
snmp-server host inside falkor
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp outside
sysopt noproxyarp inside
no sysopt route dnat
crypto ipsec transform-set woot esp-des esp-md5-hmac 
crypto map sequent 1 ipsec-isakmp
crypto map sequent 1 match address tunnel
crypto map sequent 1 set peer chiquitita
crypto map sequent 1 set transform-set woot
crypto map sequent interface outside
isakmp enable outside
isakmp key ******** address chiquitita netmask 255.255.255.255 
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
Ssh commands omitted.
ssh timeout 5
dhcpd auto_config outside
terminal width 80
Cryptochecksum:4ba3f7426342b4c17e599c9aaef79307
: end
[OK]


PIX2:
chiquitita(config)# write term
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname chiquitita
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name IPOPIX2 chiquitita
name PIX1 cirrus
access-list inbound permit tcp host 192.168.0.11 any range 3000 4000 
access-list inbound permit icmp any any 
access-list inbound permit ip any any 
access-list inbound permit tcp host 192.168.0.10 any eq pop3 
access-list inbound permit tcp host 192.168.0.10 any eq smtp 
access-list outbound permit icmp any any 
access-list outbound permit ip host 192.168.0.10 any 
access-list outbound permit tcp host 192.168.0.11 any range 3000 4000 
access-list outbound permit tcp host 192.168.0.240 any eq https 
access-list outbound permit tcp host 192.168.0.240 any eq 8080 
access-list outbound permit ip any any 
access-list tunnel permit ip 192.168.5.0 255.255.255.0 192.168.0.0
255.255.255.0 
access-list tunnel permit udp 192.168.5.0 255.255.255.0 192.168.0.0
255.255.255.0 
access-list tunnel permit icmp 192.168.5.0 255.255.255.0 192.168.0.0
255.255.255.0 
access-list outbound2 permit ip any any 
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside chiquitita 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list tunnel
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp chiquitita 3390 192.168.0.11 3389 netmask
255.255.255.255 0 0 
access-group inbound in interface outside
access-group outbound2 in interface inside
route outside 0.0.0.0 0.0.0.0 NEXTHOPROUTER 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.10 255.255.255.255 inside
http 192.168.0.11 255.255.255.255 inside
http 192.168.5.10 255.255.255.255 inside
http 192.168.2.10 255.255.255.255 inside
snmp-server host inside 192.168.5.10
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp outside
sysopt noproxyarp inside
crypto ipsec transform-set woot esp-des esp-md5-hmac 
crypto map sequent 1 ipsec-isakmp
crypto map sequent 1 match address tunnel
crypto map sequent 1 set peer cirrus
crypto map sequent 1 set transform-set woot
crypto map sequent interface outside
isakmp enable outside
isakmp key ******** address cirrus netmask 255.255.255.255 
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 10000
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80
Cryptochecksum:9246d513a951d7b2112749854c95e87d
: end
[OK]


Thanks,
Paul

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:

PIX TO PIX IPSEC w/ NAT on either side Paul Matuszewski (Mar 04)
- <Possible follow-ups>
- RE: PIX TO PIX IPSEC w/ NAT on either side Melson, Paul (Mar 07)