06-08-2007 07:16 AM - edited 02-21-2020 03:05 PM
Hi,
I recently setup a site-site vpn between a pix 515 running 6.3(5) and a juniper netscreen. The tunnel was configured to only allow communication between a two hosts, one on each end of the tunnel. Then the client wanted to move the host behind the pix to their dmz. We made the appropriate changes to the nat0 and match address list acls, but now it stopped working.
When I do a sh crypto ipsec sa, I get decaps and decrypt packets, but no encaps and encrypt packets. A sh isakmp sa shows an active tunnel between the two endpoints.
I'm not sure where to look from here. Haven't found anything on google.
Here's the current output from sh crypto ipsec sa:
local ident (addr/mask/prot/port): (192.168.210.50/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.1.0.36/255.255.255.255/0/0)
current_peer: a.b.c.d:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 38, #pkts decrypt: 5741, #pkts verify 5741
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 5703
local crypto endpt.: z.y.x.w, remote crypto endpt.: a.b.c.d
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Thanks!
-Jeff
Solved! Go to Solution.
06-08-2007 07:29 AM
06-08-2007 07:29 AM
You did nat exemption like this right?
nat (dmz) 0 access-list ...
06-08-2007 07:32 AM
No, I did not. Right now the nat statements are:
SMIC-PIX# sh ru | g nat
nat (inside) 0 access-list NoNatToDmz
nat (inside) 1 192.168.10.0 255.255.255.0 0 0
nat (inside) 1 206.201.139.0 255.255.255.0 0 0
nat (smicdmz) 1 192.168.210.0 255.255.255.0 0 0
SMIC-PIX#
Can I have two nat 0 statements?
06-08-2007 07:37 AM
The traffic which is to be exempt from nat is coming from the dmz right, not the inside?
So the nat (inside) 0 statement wouldn't do anything for your dmz vpn traffic. Yes you can have 2 nat 0 statements.
nat (smicdmz) 0 access-list dmz_to_vpn
06-08-2007 07:54 AM
Yup. That was it. Thanks for your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide