cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1457
Views
20
Helpful
18
Replies

VPN access-list, tranlation issue

richmorrow624
Level 1
Level 1

I have this scenario with a PIX 525 6.3, this supposedly worked at one time:

I have a device on the inside network that needs to access a remote site network through a VPN tunnel.

Inside network device is 10.11.150.1, needs to access remote device 10.79.15.3.

The remote side is supposed to see my device as a 10.91.6.1 address, I am supposed to see his 10.79.15.3 as my destination.

The tunnel never attempts to come up, none of the access-lists show any hits at all, is there something missing?

It seems like a routing issue or access-list problem, all routes are correct, the firewall can ping my device on this end, but the access-lists never get hits.

crypto map p 30 ipsec-isakmp

crypto map p 30 match address Translate

crypto map p 30 set peer 1.23.45.67

crypto map p 30 set transform-set 3dessha

static (inside,outside) 10.91.6.1 access-list translation 0 0

access-list Translation permit ip host 10.11.150.1 10.79.8.0 255.255.248.0

access-list Translate permit ip 10.91.6.0 255.255.255.240 10.79.8.0 255.255.248.0

18 Replies 18

rico_hao40
Level 1
Level 1

what's the inside and outside IP of the vpn box (pix), and what's the private subnets of both side?

Based on your configuration the vpn works like" if source from 10.91.6.0 subnet want to visit destination 10.79.8.0 goes to vpn tunnel. then your side pix will connect peer 1.23.45.67 to initial ipsec tunnel"

Thanks for the reply,

That is correct:

My source private inside address is:

10.11.150.1

Which is translated to 10.91.6.1 in the PIX on my end.

Which will establish a connection to his inside address:

10.79.15.3, he will see 10.91.6.1 as his destination endpoint for data.

My PIX has 1.23.45.67 as the peer (his end) for VPN tunnel.

The thing is, I do not see any of the translation or encryption access-lists getting hits on my end.

I can ping my source station (10.11.150.1)from the inside interface of the PIX.

Debugs show no attempt to build up the tunnel.

It kind of looks like a routing issue, or the access-lists on my end are not built right.

Unless, the access-lists will not show hits if his peer is not reachable.

is that possible? it seems even if the peer didn't exist at all, I would still se the tunnel attempt to build up.

Richard,

Can you please post your configuration (taking out sensitive information).

Thanks,,

The below should work for you, (policy NAT) basically when you initiate traffic from host 10.11.50.x IP it will be NATed (NAT happens before encryption) to global IP 10.91.6.1 (this is the IP that your customer will see as your LAN address). The crypto ACL will be triggered when it needs to send traffic to your peer LAN address of 10.79.8.x (your source address will be 10.91.6.1).

After you have made the below modification, issue: save wr m and also issue:

clear xlate

clear isakmp sa

clear ipsec sa

Note - the rest of your internal IP addresses will be NATed to global IP address (111.222.333.444) for normal outbound translation.

------------------------

access-list nat_to_customer permit ip host 10.11.50.x 10.79.8.0 255.255.248.0

access-list crypto_map_customer permit ip host 10.91.6.1 10.79.8.0 255.255.248.0

ip address outside 111.222.333.444 255.255.255.x

ip address inside 10.11.50.1 255.255.255.0

global (outside) 2 10.91.6.1

global (outside) 1 interface

nat (inside) 2 access-list nat_to_customer

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set test1 esp-3des esp-md5-hmac

crypto map testmap 1 ipsec-isakmp

crypto map testmap 1 match address crypto_map_customer

crypto map testmap 1 set peer 1.23.45.67

crypto map testmap 1 set transform-set test1

crypto map testmap 1 interface outside

isakmp enable outside

isakmp key address 1.23.45.67 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 3600

-----------------------

Hope this helps and if it does please rate posts!!

Thanks for the reply,

Looking at your config post, it looks like maybe a NAT and Global addition is needed.

This is all there is relating to that tunnel:

crypto map p 30 ipsec-isakmp

crypto map p 30 match address diebold

crypto map p 30 set peer 65.196.80.7

crypto map p 30 set transform-set 3dessha

crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac

static (inside,outside) 10.91.6.1 access-list dieboldtranslation 0 0

access-list dieboldtranslation2 permit ip host 10.11.150.1 10.79.8.0 255.255.248.0

and you config shows:

global (outside) 2 10.91.6.1

global (outside) 1 interface

nat (inside) 2 access-list nat_to_customer

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

This is all I have currently:

global (outside) 1 interface

global (inside) 3 172.32.16.1

global (B) 1 192.168.1.254

global (C) 1 192.168.100.1

global (ftp) 1 10.1.40.249

nat (outside) 0 access-list nonatoutside outside

nat (outside) 3 access-list xxx outside 0 0

nat (inside) 0 access-list NO_NAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Are there supposed to be Global and associated NAT for each static translation?

Basically I think your configuration is good. Please make sure the

access-list NO_NAT ("nat (inside) 0 access-list NO_NAT")

does not include the subnet "10.11.150.0". otherwise your static NAT would not work because the "nat 0" is higher order than static NAT.

Thanks for the information?

Can you explain the NAT and Global relationship and how you cam about the "higher order" comment?

What about me not seeing the access-lists on my end getting matched?

Shouldn't I have seen that? if the routing is correct?

Cisco firewall matches local traffic to NAT commands in the following order:

1. 1. NAT exemption (nat 0 access-list)?In order, until the first match.

2. Static NAT and Static PAT (regular and policy) (static)?In order, until the first match.

3. Policy dynamic NAT (nat access-list)?In order, until the first match.

4. Regular dynamic NAT (nat)?Best match

In your case the outgoing traffic order is:

NAT 0-->static (inside,outside)-->nat (inside) 1 and will use the first match one.

I am not very sure the reason why hit==0, but i guess cisco firewall only consider the ACL applied on interface as real hit !!

hey man, I appreciate you posts,

I just found this in the firewall log:

106011: Deny inbound (No xlate) tcp src inside:10.11.150.1/1673 dst inside:10.79.15.3/5202

here is my NO_NAT:

access-list NO_NAT permit ip host 10.1.10.25 host 12.8.22.233

access-list NO_NAT permit ip host 10.1.10.24 host 12.8.22.233

access-list NO_NAT permit ip host 10.1.74.1 host 12.8.22.233

access-list NO_NAT permit ip host 10.1.40.97 host 12.8.22.233

access-list NO_NAT permit ip host 10.1.40.99 host 12.8.22.233

access-list NO_NAT permit ip host 10.1.40.113 host 12.8.22.233

access-list NO_NAT permit ip host 10.1.40.108 host 12.8.22.233

access-list NO_NAT permit ip host 10.1.40.1 host 12.8.22.233

access-list NO_NAT permit ip host 192.168.207.3 host 192.168.204.8

access-list NO_NAT permit ip host 172.16.250.4 host 192.168.204.8

access-list NO_NAT permit ip 10.1.40.0 255.255.255.0 170.209.0.2 255.255.255.254

access-list NO_NAT permit ip 10.250.10.0 255.255.255.0 172.20.3.0 255.255.255.0

access-list NO_NAT permit ip 172.16.254.0 255.255.255.0 172.20.3.0 255.255.255.0

access-list NO_NAT permit ip 10.1.80.0 255.255.255.0 172.20.3.0 255.255.255.0

access-list NO_NAT permit ip 10.250.70.0 255.255.255.0 172.20.3.0 255.255.255.0

access-list NO_NAT permit ip 10.250.10.0 255.255.255.0 host 207.30.150.254

access-list NO_NAT permit ip 172.16.254.0 255.255.255.0 host 207.30.150.254

access-list NO_NAT permit ip 10.1.80.0 255.255.255.0 host 207.30.150.254

access-list NO_NAT permit ip 10.250.70.0 255.255.255.0 host 207.30.150.254

access-list NO_NAT permit ip any 10.1.0.0 255.255.255.0

access-list NO_NAT permit ip 10.0.0.0 255.0.0.0 10.30.0.0 255.255.0.0

access-list NO_NAT deny ip 10.0.0.0 255.0.0.0 host 10.253.96.48

access-list NO_NAT permit ip any 10.0.0.0 255.0.0.0

access-list NO_NAT permit ip any 172.16.254.0 255.255.255.0

access-list NO_NAT permit ip any 172.16.0.0 255.240.0.0

access-list NO_NAT permit ip any 192.168.201.0 255.255.255.0

access-list NO_NAT permit ip any 192.168.204.0 255.255.255.0

Is there a line needed?

if so, can I fix it by adding one line, or do I need to redo the entire list?

looks like the source and destination are on the same side of one firewall interface !! PIX can not work like this, the outgoing packet must take a different interface! otherwise you will see the log "Deny inbound (No xlate) tcp src inside:10.11.150.1/1673 dst inside:10.79.15.3/5202 "

it's nothing about the configuration, the vpn design is wrong.

If later you change the design, please modify

'

access-list NO_NAT permit ip any 10.0.0.0 255.0.0.0 " that mean source IP begin with 10 take NO_NAT, this including your vpn source IP

Thanks rico,

Suppose I did want to put an access-list addition in the NO_NAT access-list, is there any way to put in at the top of the list rather than the bottom?

If I just make an addition, it will go to the bottom of the list, I want to add it in a specific order, can I do that?

Yes you can. After you do a show access-list, you will not the line number where you want to place the addition. For example- access-list 101 line 13 ....

Hope this helps.

Can you show me how I would enter the line?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: