PIX VPN access-list translation

richmorrow624 · ‎04-13-2007

I have a PIX 6.3 that I am trying to establish a tunnel to a remote site.

I am getting the following error:

106011: Deny inbound (No xlate) tcp src inside:10.11.150.1/1673 dst inside:10.79.15.3/5202

A couple of questions about the config pieces below:

Shouldn't there be a NAT 0 statement for the global 0 statements?

Shouln't the route outside prevent the traffic from trying to re-enter the inside interface?

access-list translation2 permit ip host 10.11.150.1 10.79.8.0 255.255.248.0

route outside 10.79.8.0 255.255.248.0 24.68.101.214 1

access-list die permit ip 10.91.6.0 255.255.255.240 10.79.8.0 255.255.248.0

global (outside) 1 interface

global (inside) 3 172.32.255.254

global (B) 1 192.168.201.254

global (C) 1 192.168.203.3

global (ftp) 1 10.1.40.249

nat (outside) 0 access-list nonatoutside outside

nat (outside) 3 access-list p outside 0 0

nat (inside) 0 access-list NO_NAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (B) 1 192.168.201.0 255.255.255.0 0 0

static (inside,outside) 10.91.6.2 access-list translation2 0 0

route inside 172.16.250.4 255.255.255.255 10.1.73.254 1

route inside 172.16.254.0 255.255.255.0 10.1.73.254 1

route inside 192.168.102.0 255.255.255.0 10.1.73.254 1

route inside 192.168.207.0 255.255.255.0 10.1.73.254 1

route outside 10.79.8.0 255.255.248.0 206.113.198.65 1

crypto map p 30 ipsec-isakmp

crypto map p 30 match address die

crypto map p 30 set peer 12.34.56.78

crypto map p 30 set transform-set 3dessha

isakmp enable outside

isakmp enable inside

ggilbert · ‎04-14-2007

You really dont need a route outside statemetn for the remote internal network.

You just need a default route statement on the PIX.

Once the PIX has a default route, the route table on the PIX will forward to the next hop and get to the peer IP. The peer will do its job. If you are going to be specific on the routes, then add a route for the remote peer.