05-10-2007 02:45 AM
Hi,
i d like to establish a vpn from a pix firewall 515 and pos version
7.0(5) with a public dmz and nat translation.
inside: 10.5.10.0/24
outside: 1.1.1.1/27 (public range)
dmz: 2.2.2.2/27 (public range)
remote inside network:192.168.20.0/24
So my encryption domain must be : 2.2.2.3/32 -- 192.168.20.0/24
ad i ve got a nat rule which is:
nat (inside,dmz) 2.2.2.3 10.5.10.28 netmask 255.255.255.255
so basically i want to translate the connections coming from 2.2.2.3 to
10.5.10.28
the vpn is setup correctly and established both sides but the nat rule
doesn t work with the vpn.
Built inbound TCP connection 4619 for outside:192.168.20.82/34237
(192.168.20.82/34237) to dmz:2.2.2.3/22 (2.2.2.3/22)
but i can t see any traffic on the server 10.5.10.28, i should see instead:
Built inbound TCP connection 4619 for outside:192.168.20.82/34237
(192.168.20.82/34237) to dmz:10.5.10.28/22(10.5.10.28/22)
any help would be great !
Regards,
durale
Solved! Go to Solution.
05-10-2007 05:48 AM
Hi Durale
Could you just clarify the line
nat (inside,dmz) 2.2.2.3 10.5.10.28 netmask 255.255.255.255
should it read
static (inside,dmz) 2.2.2.3 10.5.10.28 netmask 255.255.255.255
Also are you terminating the VPN on the outside interface of your firewall ie what is the peer IP address for your end.
Could you not try
static (inside,outside) 2.2.2.2 10.5.10.28 netmask 255.255.255.255
** Edit - i meant
static (inside,outside) 2.2.2.3 10.5.10.28 netmask 255.255.255.255 **
You don't actually need the traffic to go to the DMZ do you ?
Alternatively do you have any spare IP addresses available in the public subnet on your outside interface ?
HTH
Jon
05-10-2007 05:23 AM
Could you look through your post again. You have 10.5 as being inside above and then you have 10.5 being your dmz subnet.
"inside: 10.5.10.0/24"
"Built inbound TCP connection 4619 for outside:192.168.20.82/34237
(192.168.20.82/34237) to dmz:10.5.10.28/22(10.5.10.28/22)"
05-10-2007 05:35 AM
well,probably you didn t uderstand my issue !!
it should be something like:
Built inbound TCP connection 4619 for outside:192.168.20.82/34237
(192.168.20.82/34237) to dmz:194.42.124.40/22(10.5.10.28/22)"
The most important to understand is that there is no translation between 194.42.124.40 and 10.5.10.28 when i request a connection through the vpn (nat rule does n t work through the vpn)
hope it helps,
Regards,
durale
05-10-2007 05:47 AM
I understood fine.
05-10-2007 05:48 AM
Hi Durale
Could you just clarify the line
nat (inside,dmz) 2.2.2.3 10.5.10.28 netmask 255.255.255.255
should it read
static (inside,dmz) 2.2.2.3 10.5.10.28 netmask 255.255.255.255
Also are you terminating the VPN on the outside interface of your firewall ie what is the peer IP address for your end.
Could you not try
static (inside,outside) 2.2.2.2 10.5.10.28 netmask 255.255.255.255
** Edit - i meant
static (inside,outside) 2.2.2.3 10.5.10.28 netmask 255.255.255.255 **
You don't actually need the traffic to go to the DMZ do you ?
Alternatively do you have any spare IP addresses available in the public subnet on your outside interface ?
HTH
Jon
05-10-2007 05:56 AM
ok so sorry i meant static instead of nat
i need the traffic to be translated from 2.2.2.3 to 10.5.10.28 (inside)
i don t want to use a spare outside ip address because i want to use one from the dmz subnet.
does this command make sense because i want to use dmz and not outside? 2.2.2.3 is from dmz subnet and not outside
static (inside,outside) 2.2.2.3 10.5.10.28 netmask 255.255.255.255
durale
05-10-2007 05:57 AM
ok so sorry i meant static instead of nat
i need the traffic to be translated from 2.2.2.3 to 10.5.10.28 (inside)
i don t want to use a spare outside ip address because i want to use one from the dmz subnet.
does this command make sense because i want to use dmz and not outside? 2.2.2.3 is from dmz subnet and not outside
static (inside,outside) 2.2.2.3 10.5.10.28 netmask 255.255.255.255
durale
05-10-2007 06:12 AM
thank you very much, it works fine now i just replaced
static (inside,dmz) 2.2.2.3 10.5.10.28 netmask 255.255.255.255
with
static (inside,outside) 2.2.2.3 10.5.10.28 netmask 255.255.255.255
so now it works but it doesn t sound logical!!
why do i need to specify outside instead of dmz because 2.2.2.3 is from dmz interface and not outside. what s the logic ?
Regards,
Alexandre
05-10-2007 06:24 AM
Hi Alexandre
I believe you are terminating the VPN on the outside interface of your firewall.
Your 2.2.2.3 is just a logical address, ie it doesn't correspond to a physical server, so traffic does not actually need to go to the DMZ. It actually just needs to go from the outside to the inside.
So once the traffic is decrypted the pix then sees that traffic destined for 2.2.2.3 should be natted to 10.5.10.28. Only after it has been natted does the pix then route the packet.
Hope this makes sense.
Jon
05-10-2007 06:53 AM
Jon,
Would this work if you had nat exemption set up for the vpn? For example if he had...
access-list nat0 extended permit ip 10.5.0.0 255.255.0.0 192.168.20.0 255.255.255.0
nat (inside) 0 access-list nat0
thanks
05-10-2007 10:48 AM
Hi Adam
You are very knowledgeable on firewalls so if i have misunderstood the question please let me know.
Not really in this case no. The problem is that he is not trying to present the internal server on it's actual IP address.
If the other end of the VPN could route directly to 10.5.10.28 then yes it would be fine but they might have an IP address conflict at their end that requires the IP address to presented as a public IP.
There are some large companies i have dealt with that insist that they will only route to public IP addresses even down a VPN.
Jon
05-10-2007 10:59 AM
I must have gotten thrown off a bit here. It seemed to me like he was attempting to access the servers public ip over the vpn, my mistake.
What made me ask the question is I was attempting to get that working myself. For example I have a vpn tunnel to a remote pix. All traffic from the remote site goes over the tunnel to main site ASA. I have a static in my ASA at my main site for a webserver lets say.
static (dmz,outside) 1.1.1.1 192.168.1.1
Now, users at the remote site must access the server with 192.168.1.1, if they try 1.1.1.1 it doesn't work. I assumed it doesnt work becuase of the nat exemption from 192.x.x.x to remote site. Any ideas, please enlighten me about this..thanks.
So, as I was reading through this thread it seemed like this is what was going on, but I misunderstood.
The reason I would like them to use the public address is I would like them to use a CSS for their dns server which gives public addresses.
05-10-2007 11:07 AM
Adam
He is attempting to access the server on a public IP address down the VPN as far as i can tell.
It does work as we have used this many times where i work. I suspect you may be on the right lines about the nat exemption. Can i ask why you are doiing NAT exemption if you want them to access the server on it's public IP ?
You could always look at policy NAT just for the connection to that one public IP and then nat exempt everything else but without knowing the full details this might not be the right solution.
Jon
05-10-2007 11:18 AM
"Can i ask why you are doiing NAT exemption if you want them to access the server on it's public IP?"
Well I guess that's a good question isn't it, haha. I just got these CSS's so the remote networks were always using an inside dns server here supplying private addresses.
I will get rid of the exemption and give it a shot. I guess it boils down to this, they will be able to access by public or private and not by both at the same time right?
I was also thinking about doing dns doctoring but I was trying to figure out if you can make that work based upon the source address of the request.
I also thought about doing destination nat at the remote firewalls, but from a management standpoint that seems a little involved and more difficult to maintain.
thanks jon for the good conversation.
05-10-2007 12:23 PM
Yup, that did it, thanks again jon.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: