03-07-2007 10:19 PM
Has anybody tried an inbound NAT at the concentrator side ? It is documented and also described in TAC Case K31070531 but I have no success in implementing this.
Regards
Christoph
03-08-2007 01:51 AM
Hi,
Sounds Interesting. You said its documented, can you point us to that document.
-Kanishka
03-08-2007 03:02 AM
Hi,
its in the concentrator documentation, but with my pure english ... I may have misundestood that. But the TAC description is clear I think.
Regards
Christoph
K31070531
To configure inbound NAT on the Cisco VPN 3000 Concentrator, perform these steps:
1. Log in to the Concentrator through HTTP or HTTPS.
2. Go to Configuration > Policy Management > Traffic Management > NAT > Enable.
3. Select LAN-LAN NAT Rules. Click Apply.
4. Go to Configuration > Policy Management > Traffic Management > NAT > LAN-LAN NAT Rules.
5. Click Add.
6. Select Static. Configure the source address, translated address and the destination address with correct relevant wildcard masks.
7. Click Add.
Note: The source address is the remote address.The destination address is the local address behind the Concentrator. The translated address is the one into which the remote address should be translated.
For example, the remote network is 1.1.1.0 255.255.255.0. If the network behind the Concentrator is 2.2.2.0 255.255.255.0, and you want the remote network to be visible as 3.3.3.0 255.255.255.0, it would look like this:
Source : 1.1.1.0
Wildcard Mask : 0.0.0.255
Translated : 3.3.3.0
Wildcard Mask : 0.0.0.255
Destination : 2.2.2.0
Wildcard Mask : 0.0.0.255
For additional information, refer to the Configuration | Policy Management | Traffic Management | NAT section of Policy Management.
03-08-2007 04:41 AM
Hi,
Are you not able to implemment this ? What issues are you facing ?
-Kanishka
03-08-2007 04:52 AM
Hi,
my issue is that the communication from the remote side will not be natted. In the firewall log (firewall is behind the concentrator on the internal side) i see the unnatted ip address and therefore a deny.
Christoph
03-08-2007 03:27 PM
This should work. Can you post your nat rules here, so that we can take a look.
-Kanishka
03-09-2007 01:12 AM
Here is the architecture:
Remote Client -> PIX -> Tunnel -> Concentrator -> Firewall -> Internal
Client is in network 172.22.0.0/16 trying to connect to host 172.26.130.25/32 which is also a natted address. Client has the IP 172.22.1.2
Here the two NAT statements for the local host and the remote network
[natrules 4.2]
rowstatus=1
name=
srcIp=10.60.1.3
srcMsk=255.255.255.255
dstIp=172.26.130.25
dstMsk=255.255.255.255
RemoteIp=0.0.0.0
RemoteMask=0.0.0.0
action=31
portmin=49152
portmax=65535
direct=2
protocol=255
tunneled=2
type=1
[natrules 4.8]
rowstatus=1
name=
srcIp=172.22.0.0
srcMsk=255.255.0.0
dstIp=10.61.0.0
dstMsk=255.255.0.0
RemoteIp=0.0.0.0
RemoteMask=0.0.0.0
action=31
portmin=49152
portmax=65535
direct=2
protocol=255
tunneled=2
type=1
Here is the output from the internal firewall log:
Mar 6 13:12:19 10.2.1.115 FWSM %FWSM-3-106010: Deny inbound icmp src
dmz-vpn:172.22.1.2 dst inside:10.60.1.3 (type 8, code 0)
This looks like that the outbound host NAT is done but the inbound NAT for the remote network not (same log entries for TCP).
Regards
Christoph Ohliger
03-09-2007 08:32 AM
Christoph,
Section 1:
Inbound NAT on the concentrator for LAN to LAN tunnels, is not possible.
Section 2:
Having said the above statement, if you are getting packet on the tunnel from the remote network - lets say 172.18.124.x to the network 10.10.10.x on your internal side of the concentrator and you want the 172.18.124.x network to be translated to 20.20.20.x by the concentrator - it is not going to happen.
Packets reaching the concentrator should already be translated when reaching the concentrator when it hits the encryption domain processing part.
Section 3:
I see you have a PIX firewall on the remote side. In my example it would be 172.18.124.x network. You can translate that network to 20.20.20.x before going through the encryption process on the PIX firewall itself.
EG:
Internal segment on the PIX 172.18.124.x
If traffic going to 10.10.10.x network translate to 20.20.20.x network
access-l 100 per ip 172.18.124.0 255.255.255.0 10.10.10.0 255.255.255.0
static (inside,outside) 20.20.20.0 access-list 100 netmask 255.255.255.0
Your encryption ACL on the PIX should be
access-l 101 per ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
Section 4:
If they cant do that on the PIX, then there is no way you can get it to work on the concentrator because of answer provided in Section 1.
Hope this helps
Cheers
Gilbert
03-10-2007 02:16 AM
Hi Gilbert,
section 1 is what i want to know, thanks for that information !
Its in conflit to the TAC Case ... but maybe its a wrong description: K31070531
To configure inbound NAT on the Cisco VPN 3000 Concentrator
Solution
It is not wanted to do NAT on the PIX of the remote side. What i want to try in the next step is to do outbound NAT on the concentrator and the inbound NAT on the internal firewall.
Thanks for your help
Christoph
03-12-2007 07:30 AM
Christoph -
Good luck on your next adventure. :)
Rate the post, if it helped.
Gilbert
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: