DComTalk.com

Ryan Casey · Guest

We are trying to configure a PIX firewall. The other end is at another
company that allows many VPN's so they require two routeable (external)
IP addresses, no internals allowed.

We successfully set up a VPN with the PIX and a forward router. However,
we are load balancing routers and would like to the entire VPN on the PIX.

Below is a sketch (fake IPs, use fixed width font) of how we would like it to be.

------------------------------ --------------------- ------------------ -----------------
| Internal Network 172.1.1.x | | PIX 67.2.2.222 | | External Peer | | External Host |
| | --> | NAT to 67.2.2.2 | | | | |
| | | Crypt | --> | 157.3.3.3 | --> | 160.4.4.4 |
------------------------------ --------------------- ------------------ -----------------

If we have a router outside the PIX, we work fine. But trying to do it all on the PIX fails

We had thought that it would go:
From: 172.1.1.100
To: 160.4.4.4

NAT Translated to
From: 67.2.2.2
To: 160.4.4.4

Tunnel Set Up from PIX (67.2.2.222) to Remote Peer (157.3.3.3)

Encrypt Packet

Send Packet

Decrypted on 157.3.3.3
From: 67.2.2.2
To: 160.4.4.4

Packet forwarded to 160.4.4.4 (NAT translated to remote internal if need be)

Return packets should come back in reverse, being decrypted on the PIX and then NATted back
to the internal network.

This is not what is happening. We have other VPNs using internal local and remote addresses,
and it is not failing. If we monitor the interface, we start seeing a Send Error for each
packet that is attempted to be sent, and there is no tunnel ever established.

What are we missing here? Attached at bottom is relevant config (I think), converted to the
above ips.

Thank you!
Ryan Casey

-------------

PIX Version 6.3(3)
access-list MYNAT permit ip 172.1.1.0 255.255.255.0 host 160.4.4.4
access-list MYCrypto permit ip host 67.2.2.2 host 160.4.4.4

nat (inside) 2 access-list MYNAT 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map vpnmap 50 ipsec-isakmp
crypto map vpnmap 50 match address MYCrypto
crypto map vpnmap 50 set peer 157.3.3.3
crypto map vpnmap 50 set transform-set myset

isakmp key ******** address 157.3.3.3 netmask 255.255.255.255

isakmp nat-traversal 20
: end

Ryan Casey · Guest

Would someone please post an "I don't know" so I know this made it to
the rest of the NNTP servers :-) Thanks!

Ryan Casey

Ryan Casey <ryan.caey@provion_removeme.com> wrote in
news:1108580381.93356b5ef0e8b6b594be44ff2057dbf1@teranews:

Merv · Guest

instead of "nat (inside) 2 access-list MYNAT 0 0"
try "nat (inside) 0 access-list MYNAT"

Ryan Casey wrote:

Ryan Casey · Guest

Thank you, but I don't think that will do it. I am trying to establish
a VPN with all external addresses as the Peer and Host. If I use a nat
0, the internal addresses of my network will never be NATted to my
virtual external Host address, will it?

MyInside -> MyPIX <--> RemotePeer <-- RemoteHost

I want to VPN from MyInside to RemoteHost. RemoteHost is an external
address and the company hosting it requires an external address for my
host.

I am using NAT on MyPIX to translate MyInside to one external address
(VirtualHost). This should then be encrypted and sent to RemotePeer
throught a tunnel established with MyPIX, specifying the originating
host as VirtualHost and the destination as RemoteHost.

The return packet should be received by MyPIX as destined for
VirtualHost. It should then be NATted to MyInside.

I am using NAT Traversal, which should correct for any problems with the
port mapping of the NAT. This is running PIX Version 6.3(3).

Ryan P. Casey

"Merv" <merv.hrabi@rogers.com> wrote in news:1108738470.487102.228460
@l41g2000cwc.googlegroups.com:

	DComTalk.com Forum Index -> VPN	All times are GMT
Page 1 of 1