Firewall Wizards mailing list archives
RE: Cisco PIX506 problem minxing VPN and NAT
From: "Hart, Kevin" <KHart () helixtechnology com>
Date: Fri, 10 Oct 2003 17:07:45 -0400
I don't use the PDM very much either. But the other day I fired it up and it wouldn't let me look at my config because the same ACL was in use by a Crypto Map and Nat statement. For someone who unfamiliar with the PIX they might have thought there was an error despite the fact that it works perfectly fine. Regards, Kevin -----Original Message----- From: Wes Noonan [mailto:mailinglists () wjnconsulting com] Sent: Friday, October 10, 2003 1:04 PM To: 'Michael J. Tubby B.Sc. (Hons) G8TIC'; firewall-wizards () honor icsalabs com; KHart () helixtechnology com; Ken () kccweb com Subject: RE: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT Agreed. It seems to be an artificial limitation in the PDM more than anything else in my experience. Similar to how early versions of the PDM didn't like the established command. Cheers Wes
-----Original Message----- From: Michael J. Tubby B.Sc. (Hons) G8TIC [mailto:mike.tubby () thorcom co uk] Sent: Friday, October 10, 2003 11:42 To: mailinglists () wjnconsulting com; firewall-wizards () honor icsalabs com; KHart () helixtechnology com; Ken () kccweb com Subject: Re: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT Wes, I'm a command line person... always have been... always will be. The problem of havbing two different ACLs with the same entries sounds like a limitation of the application software rather than anything in the PIX per se... assuming that PIXes work like IOS boxes, as I have many a 2621/3640 with the same ACLs applied to many interfaces... Mike One caveat that you will find is that if you use the PDM it doesn't support using the same ACL for multiple uses. So for me I typically create a "nonat01" ACL and than a "VPN01" acl that is the same. If you don't use the PDM it doesn't matter and functionally it doesn't seem to break anything to use a single ACL though. Maybe someone from Cisco can chime in on the issue? Glad it worked for you. Wes-----Original Message----- From: Michael J. Tubby B.Sc. (Hons) G8TIC [mailto:mike.tubby () thorcom co uk] Sent: Friday, October 10, 2003 03:25 To: mailinglists () wjnconsulting com; firewall-wizards () honor icsalabs com; KHart () helixtechnology com; Ken () kccweb com Subject: Re: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT Gents, Thanks to Wes, Kevin, Ken and everyone else who came up with the same answer. The the: nat (inside) 0 access-list 101 command fixed it fine (I'm also using access list 101 to define the interesting traffic to go down the VPN). Regards Mike ----- Original Message ----- From: "Wes Noonan" <mailinglists () wjnconsulting com> To: "'Michael J. Tubby B.Sc. (Hons) G8TIC'" <mike.tubby () thorcom co uk>; <firewall-wizards () honor icsalabs com> Sent: Monday, October 06, 2003 6:45 PM Subject: RE: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT Without seeing your config file I would recommend looking at thefollowingoptions: 1) Use the PDM to configure the VPN until you get more comfortable with the commands required 2) Look into the "nat (inside) 0" command. 3) http://www.cisco.com/pcgi- bin/Support/browse/psp_view.pl?p=Hardware:PIX&s=So ftware_Configuration check out the multitude of VPN configuration examples. Thanks. Wes-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Michael J. Tubby B.Sc. (Hons)G8TICSent: Monday, October 06, 2003 11:58 To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT Hi, I've been working with IP and Cisco routers for many years, but am now somewhat stuck on a problem involving IPSEC VPN tunnels mixed with NAT on a Cisco PIX506E box (firmware 6.2) - I'm pretty new to PIX firewalls. A simplified network diagram can be found at: http://www.tubby.org/cisco/networking/vpn_config.pdf where "our site" is local to me and "customer site" is the far end - I am not responsible for the equipment at the customer site. We have a number of hosts that are on an "inside" LAN segment (192.168.10.0/24) for which I need to arrange two things to occur: a) they must travel across a 3DES VPN tunnel and land on a Cisco 3640 at the far end (customer site) and reach other machines on 10.0.0.0/24 there b) they must appear with "real" IP addresses via NAT from our internet connection, and there must be a static mapping between the public IP address and the internal IP address, for example: 193.82.116.240 => 192.168.10.240 193.82.116.241 => 192.168.10.241 nb. the machines on the "inside" have only the 192.168.10.xxx form of address; the PIX506E must NAT each one in and outbound to the public internet equivalent 193.82.116.xxx address. At our site we have a Cisco 2621 with IP/FW/IDS which is "locked down" fairly tightly (port by port ACLs etc.) After some considerable fiddling about to open ISAKMP (udp/500) and ESP I've got the IPSEC bit working and get the security association etc. all set upbetweenthe PIX506E and the Customer's 3640 and I can see packets leaving correctly when I ping 10.0.0.xx addresses. However, there appears to be a problem that the packets that come back in from the VPN tunnel, eg. ICMP Echo Reply, these are addressed to the 192.168.10.xxx host when leaving the remote machine making the reply but appear to get caught up in the NAT that I've configured for requirement (b) above - so the PIX appears to NAT the reply packets back to 193.82.116.xxx packets when it should have just dropped them in the "inside" interface. Clearly something isn't right but I'm struggling to find details ontheway in which VPN and NAT interact inside PIX firewalls. Any help/ideas would be greatly appreciated. Mike Tubby _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco PIX506 problem minxing VPN and NAT Michael J. Tubby B.Sc. (Hons) G8TIC (Oct 06)
- RE: Cisco PIX506 problem minxing VPN and NAT Wes Noonan (Oct 06)
- Re: Cisco PIX506 problem minxing VPN and NAT Michael J. Tubby B.Sc. (Hons) G8TIC (Oct 11)
- RE: Cisco PIX506 problem minxing VPN and NAT Wes Noonan (Oct 11)
- Re: Cisco PIX506 problem minxing VPN and NAT Michael J. Tubby B.Sc. (Hons) G8TIC (Oct 11)
- RE: Cisco PIX506 problem minxing VPN and NAT Wes Noonan (Oct 11)
- Re: Cisco PIX506 problem minxing VPN and NAT Michael J. Tubby B.Sc. (Hons) G8TIC (Oct 11)
- RE: Cisco PIX506 problem minxing VPN and NAT Wes Noonan (Oct 06)
- <Possible follow-ups>
- RE: Cisco PIX506 problem minxing VPN and NAT Hart, Kevin (Oct 06)
- RE: Cisco PIX506 problem minxing VPN and NAT Hart, Kevin (Oct 11)