Solved: Translation of peer's subnet

longusernamessuck · ‎08-02-2007

My newest VPN peer tells me that he already has reserved the IP addresses we use, so now I need to translate...

How do I get my PIX to pretend my 10.0.0.0/24 subnet is, say, 10.40.40.0/24?

Cisco PIX Firewall Version 6.3(5)

--

Rune

mattiaseriksson · ‎08-02-2007

easiest way is t odo it like this:

! define traffic to be translated

access-list NAT-west permit ip 10.0.0.0 255.255.255.0 192.168.140.0 255.255.255.192

! A pool of addresses to use

global (outside) 9 192.168.140.1-192.168.140.254

! policy nat statement

nat (inside) 9 access-list NAT-west

! remove nat exemption

no nat (inside) 0 access-list nonat

clear xlate

View solution in original post

srue · ‎08-02-2007

create a policy nat statement for traffic from your network going to his network.

redo your crypto acl to match against the new nat'ed address space.

The details of the nat will depend on whether or not you need static statements or you can use dynamic nat (nat/global commands)...

longusernamessuck · ‎08-02-2007

I rarely change my PIX configuration, so the little knowledge I have corrodes quickly in the mean time.

Perhaps it is better if I present one of my typical VPN setups:

' permit traffic between our network (10.0) and theirs

access-list VPN-west permit ip 10.0.0.0 255.255.255.0 192.168.140.0 255.255.255.192

' disable NAT

access-list nonat permit ip 10.0.0.0 255.255.255.0 192.168.140.0 255.255.255.0

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

crypto map mymap 26 ipsec-isakmp

crypto map mymap 26 match address VPN-west crypto map mymap 26 set peer mypeerGW

crypto map mymap 26 set transform-set 3des

isakmp enable outside

isakmp key ******** address mypeerGW netmask 255.255.255.255

So... My peer then tells me that I cannot use 10.0.0.0/24 on my side. I have to appear to him as 10.40.40.0.

Thus my access-list changes to:

access-list VPN-west permit ip 10.40.40.0 255.255.255.0 192.168.140.0 255.255.255.192

But how do I create the policy nat statement?

mattiaseriksson · ‎08-02-2007

easiest way is t odo it like this:

! define traffic to be translated

access-list NAT-west permit ip 10.0.0.0 255.255.255.0 192.168.140.0 255.255.255.192

! A pool of addresses to use

global (outside) 9 192.168.140.1-192.168.140.254

! policy nat statement

nat (inside) 9 access-list NAT-west

! remove nat exemption

no nat (inside) 0 access-list nonat

clear xlate

longusernamessuck · ‎08-08-2007

Thanks for the excellent help so far guys.

I have tried playing around with this, but I am not confident which numbers go where...

The final configuration is something like the following:

Theirs: 192.168.14.0/24

My network: 10.0.0.0/24

My network translated: 192.168.16.0/24

I want my network to appear NATted as 192.168.16.0. I.e. my peer will not deal with 10.0.0.0 when communicating with me. (he is already peered with someone else with this subnet)

access-list NAT-xxxVPN permit ip 10.0.0.0 255.255.255.0 192.168.14.0 255.255.255.0

global (outside) 9 192.168.16.1-192.168.16.254 netmask 255.255.255.0

nat (inside) 9 access-list NAT-conVPN 0 0

I did not remove "nat (inside) 0" because I have dozens of existing VPN connections that needs to be exempt from NAT.

My VPN connection is now defined as:

access-list xxx line 4 permit ip 192.168.16.0 255.255.255.0 192.168.14.0 255.255.255.0 (hitcnt=6)

! note hitcnt increases when I ping, but I get no reply

crypto map myvpn 12 ipsec-isakmp

crypto map myvpn 12 match address xxx

crypto map myvpn 12 set peer xxx

crypto map myvpn 12 set transform-set 3des

sh isakmp sa shows that the VPN connection itself is established. I don't see much return traffic though.

--

Rune

longusernamessuck · ‎08-08-2007

Ah... I forgot that my peer might have some configuration to do as well... :)

It works now, but am I right in assuming I need to set up a static to map a NATted address to a specific host on the inside, in case my peer needs access to one of my hosts?

mattiaseriksson · ‎08-08-2007

Yes, use the static command with an access-list to specify local and destination addresses. It is known as policy NAT.

longusernamessuck · ‎08-23-2007

Ah, but what is the definition of 'local' and 'destination' addresses with this NATing scheme?

Theirs: 192.168.14.0/24

My network: 10.0.0.0/24

My network translated: 192.168.16.0/24

So... I'd like to let their hosts (192.168.14.0) access my host 10.0.0.25. Preferably natted to, say, 192.168.16.20.

Could someone kindly suggest an access-list and static for this?

Jon Marshall · ‎08-02-2007

Hi

Mattias has covered how to NAT your source IP addresses but it is not quite as simple as that.

If you are both using the 10.0.0.0/24 network then lets say a client in your lan eg. 10.0.0.5 wants to communicate with a client in the partner network eg 10.0.0.8.

Your client will think that the 10.0.0.8 machine is on your local network and will arp out for it. It would never know that 10.0.0.8 was down the VPN tunnel. Indeed if you have a machine with 10.0.0.8 in your local network it will talk to that instead.

It also depends on which way the communications are intiated. If they are initiated both ways then you need to setup static translations for these at your end.

So to keep it simple lets say you always initiate the connection (if this is not the case we can cover that later).

Further lets say you need access to

10.0.0.10, 11, 15 & 27 at the partner site.

Now you can use the NAT that mattias has provided for your clients.

As for the destaintion addresses, you need to present the partner IP addresses as something else to your internal clients.

static (outside,inside) 10.40.40.10 10.0.0.10 netmask 255.255.255.255

static (outside,inside) 10.40.40.11 10.0.0.11 netmask 255.255.255.255

static (outside,inside) 10.40.40.15 10.0.0.15 netmask 255.255.255.255

static (outside,inside) 10.40.40.27 10.0.0.27 netmask 255.255.255.255

Your clients now need to point to the 10.40.40.x addresses when they want to communicate with the remote site.

Hope this makes sense

Jon

** Edit - apologies i didn't read the entire thread. I assumed you needed to talk to 10.0.0.0/24 network at the partner site and having re-read the thread i realise this isn't the case. Please ignore post - very sorry to the OP and to Mattias ***

srue · ‎08-02-2007

It's not that the remote site's local lan is using the same address space...as the OP put it originally...

"he already has reserved the IP addresses we use"...that doesn't *necessarily* mean they are connecting to the same address space.

longusernamessuck · ‎08-02-2007

This is correct. At this point nobody has said we will face similar addresses as our own.

But, with the growing number of VPN connections, I will have to translate sooner or later.

In that case, I fail to see how the static helps, because if two VPN connections both hook up to e.g. 10.30.0.0, how do the static tell them apart?

Jon Marshall · ‎08-02-2007

Hi

static (outside,inside) 10.40.40.10 10.0.0.10 netmask 255.255.255.255

the above is doing destination NAT translation not source NAT translation. So it will work fine.

Jon

Jon Marshall · ‎08-02-2007

Steven

Yep i know, i realised that after posting.

Apologies.

Jon