Problem with VPN using PAT

Unanswered Question
Nov 1st, 2007

Hi all,

I am working on a site-to-site VPN but I can't get it to work properly. My VPN-endpoint is a PIX515 running OS version 6.3(3) (upgrading to 7 is no option because memory is not sufficient) and the other endpoint is a CheckPoint firewall. The company that I have to make the VPN with requires me to use only one IP address as source so all my outgoing traffic has to be NAT'ted to one single address (PAT to IP address 10.1.1.10, see below).

The config looks something like this:

...

object-group network dest-servers

network-object 172.16.1.10 255.255.255.255

network-object 172.16.1.11 255.255.255.255

network-object 172.16.1.12 255.255.255.255

network-object 172.16.1.13 255.255.255.255

network-object 172.16.1.14 255.255.255.255

...

...

access-list 110 permit ip host 10.1.1.10 object-group dest-servers

access-list vpn-nat permit ip 192.168.1.0 255.255.255.0 object-group dest-servers

...

...

global (outside) 1 10.1.1.10

...

...

nat (inside) 1 access-list vpn-nat 0 0

...

...

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

...

...

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

...

...

crypto map vpn-tunnel 10 ipsec-isakmp

crypto map vpn-tunnel 10 match address 110

crypto map vpn-tunnel 10 set peer x.x.x.x

crypto map vpn-tunnel 10 set transform-set ESP-3DES-MD5

...

...

crypto map vpn-tunnel interface outside

...

...

isakmp enable outside

isakmp key 12345678 address x.x.x.x netmask 255.255.255.255

...

...

isakmp identity address

isakmp nat-traversal 20

...

...

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

...

...

No when I try to connect from my PC (192.168.1.100) on the inside to one of the destination addresses (for example 172.16.1.10) the tunnel comes up and I see packets going out and returning ('sh ipsec sa'). Also a an xlate is created for my inside address to the PAT address 10.1.1.10 and in the logs I see that the PIX is translating the returning VPN traffic with destination address 10.1.1.10 (with the correct portrange) back to my inside address 192.168.1.100 (log message 'Building outbound connection for ....', the 'Building outbound' worried me but the documentation states that this is because the session was initiated from inside so it should be right).

Now the problem: Return traffic isn't passing the inside interface. So the tunnel is created and looks ok but when I make, for example, a RDP connection it times out because the PIX doesn't send traffic to my PC.

Can anyone help me?

Best regards,

Frank

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tstanik Tue, 11/06/2007 - 13:40

Check if you have configured ACL properly for the traffic through the firewall. Configure command "access-list inbound permit rdp any host x.x.x.x".

fembsen Fri, 11/09/2007 - 02:49

Thnx for the reply.

I have configured access-lists but that didn't help. Also in the logs of the PIX i don't see any drops of packets.

Any other ideas?

Regards, Frank

Actions

This Discussion