cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
964
Views
5
Helpful
20
Replies

pix vpn public dmz

durale1789
Level 1
Level 1

Hi,

i d like to establish a vpn from a pix firewall 515 and pos version

7.0(5) with a public dmz and nat translation.

inside: 10.5.10.0/24

outside: 1.1.1.1/27 (public range)

dmz: 2.2.2.2/27 (public range)

remote inside network:192.168.20.0/24

So my encryption domain must be : 2.2.2.3/32 -- 192.168.20.0/24

ad i ve got a nat rule which is:

nat (inside,dmz) 2.2.2.3 10.5.10.28 netmask 255.255.255.255

so basically i want to translate the connections coming from 2.2.2.3 to

10.5.10.28

the vpn is setup correctly and established both sides but the nat rule

doesn t work with the vpn.

Built inbound TCP connection 4619 for outside:192.168.20.82/34237

(192.168.20.82/34237) to dmz:2.2.2.3/22 (2.2.2.3/22)

but i can t see any traffic on the server 10.5.10.28, i should see instead:

Built inbound TCP connection 4619 for outside:192.168.20.82/34237

(192.168.20.82/34237) to dmz:10.5.10.28/22(10.5.10.28/22)

any help would be great !

Regards,

durale

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Hi Durale

Could you just clarify the line

nat (inside,dmz) 2.2.2.3 10.5.10.28 netmask 255.255.255.255

should it read

static (inside,dmz) 2.2.2.3 10.5.10.28 netmask 255.255.255.255

Also are you terminating the VPN on the outside interface of your firewall ie what is the peer IP address for your end.

Could you not try

static (inside,outside) 2.2.2.2 10.5.10.28 netmask 255.255.255.255

** Edit - i meant

static (inside,outside) 2.2.2.3 10.5.10.28 netmask 255.255.255.255 **

You don't actually need the traffic to go to the DMZ do you ?

Alternatively do you have any spare IP addresses available in the public subnet on your outside interface ?

HTH

Jon

View solution in original post

20 Replies 20

acomiskey
Level 10
Level 10

Could you look through your post again. You have 10.5 as being inside above and then you have 10.5 being your dmz subnet.

"inside: 10.5.10.0/24"

"Built inbound TCP connection 4619 for outside:192.168.20.82/34237

(192.168.20.82/34237) to dmz:10.5.10.28/22(10.5.10.28/22)"

well,probably you didn t uderstand my issue !!

it should be something like:

Built inbound TCP connection 4619 for outside:192.168.20.82/34237

(192.168.20.82/34237) to dmz:194.42.124.40/22(10.5.10.28/22)"

The most important to understand is that there is no translation between 194.42.124.40 and 10.5.10.28 when i request a connection through the vpn (nat rule does n t work through the vpn)

hope it helps,

Regards,

durale

I understood fine.

Jon Marshall
Hall of Fame
Hall of Fame

Hi Durale

Could you just clarify the line

nat (inside,dmz) 2.2.2.3 10.5.10.28 netmask 255.255.255.255

should it read

static (inside,dmz) 2.2.2.3 10.5.10.28 netmask 255.255.255.255

Also are you terminating the VPN on the outside interface of your firewall ie what is the peer IP address for your end.

Could you not try

static (inside,outside) 2.2.2.2 10.5.10.28 netmask 255.255.255.255

** Edit - i meant

static (inside,outside) 2.2.2.3 10.5.10.28 netmask 255.255.255.255 **

You don't actually need the traffic to go to the DMZ do you ?

Alternatively do you have any spare IP addresses available in the public subnet on your outside interface ?

HTH

Jon

ok so sorry i meant static instead of nat

i need the traffic to be translated from 2.2.2.3 to 10.5.10.28 (inside)

i don t want to use a spare outside ip address because i want to use one from the dmz subnet.

does this command make sense because i want to use dmz and not outside? 2.2.2.3 is from dmz subnet and not outside

static (inside,outside) 2.2.2.3 10.5.10.28 netmask 255.255.255.255

durale

ok so sorry i meant static instead of nat

i need the traffic to be translated from 2.2.2.3 to 10.5.10.28 (inside)

i don t want to use a spare outside ip address because i want to use one from the dmz subnet.

does this command make sense because i want to use dmz and not outside? 2.2.2.3 is from dmz subnet and not outside

static (inside,outside) 2.2.2.3 10.5.10.28 netmask 255.255.255.255

durale

thank you very much, it works fine now i just replaced

static (inside,dmz) 2.2.2.3 10.5.10.28 netmask 255.255.255.255

with

static (inside,outside) 2.2.2.3 10.5.10.28 netmask 255.255.255.255

so now it works but it doesn t sound logical!!

why do i need to specify outside instead of dmz because 2.2.2.3 is from dmz interface and not outside. what s the logic ?

Regards,

Alexandre

Hi Alexandre

I believe you are terminating the VPN on the outside interface of your firewall.

Your 2.2.2.3 is just a logical address, ie it doesn't correspond to a physical server, so traffic does not actually need to go to the DMZ. It actually just needs to go from the outside to the inside.

So once the traffic is decrypted the pix then sees that traffic destined for 2.2.2.3 should be natted to 10.5.10.28. Only after it has been natted does the pix then route the packet.

Hope this makes sense.

Jon

Jon,

Would this work if you had nat exemption set up for the vpn? For example if he had...

access-list nat0 extended permit ip 10.5.0.0 255.255.0.0 192.168.20.0 255.255.255.0

nat (inside) 0 access-list nat0

thanks

Hi Adam

You are very knowledgeable on firewalls so if i have misunderstood the question please let me know.

Not really in this case no. The problem is that he is not trying to present the internal server on it's actual IP address.

If the other end of the VPN could route directly to 10.5.10.28 then yes it would be fine but they might have an IP address conflict at their end that requires the IP address to presented as a public IP.

There are some large companies i have dealt with that insist that they will only route to public IP addresses even down a VPN.

Jon

I must have gotten thrown off a bit here. It seemed to me like he was attempting to access the servers public ip over the vpn, my mistake.

What made me ask the question is I was attempting to get that working myself. For example I have a vpn tunnel to a remote pix. All traffic from the remote site goes over the tunnel to main site ASA. I have a static in my ASA at my main site for a webserver lets say.

static (dmz,outside) 1.1.1.1 192.168.1.1

Now, users at the remote site must access the server with 192.168.1.1, if they try 1.1.1.1 it doesn't work. I assumed it doesnt work becuase of the nat exemption from 192.x.x.x to remote site. Any ideas, please enlighten me about this..thanks.

So, as I was reading through this thread it seemed like this is what was going on, but I misunderstood.

The reason I would like them to use the public address is I would like them to use a CSS for their dns server which gives public addresses.

Adam

He is attempting to access the server on a public IP address down the VPN as far as i can tell.

It does work as we have used this many times where i work. I suspect you may be on the right lines about the nat exemption. Can i ask why you are doiing NAT exemption if you want them to access the server on it's public IP ?

You could always look at policy NAT just for the connection to that one public IP and then nat exempt everything else but without knowing the full details this might not be the right solution.

Jon

"Can i ask why you are doiing NAT exemption if you want them to access the server on it's public IP?"

Well I guess that's a good question isn't it, haha. I just got these CSS's so the remote networks were always using an inside dns server here supplying private addresses.

I will get rid of the exemption and give it a shot. I guess it boils down to this, they will be able to access by public or private and not by both at the same time right?

I was also thinking about doing dns doctoring but I was trying to figure out if you can make that work based upon the source address of the request.

I also thought about doing destination nat at the remote firewalls, but from a management standpoint that seems a little involved and more difficult to maintain.

thanks jon for the good conversation.

Yup, that did it, thanks again jon.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: