02-14-2008 10:30 AM - edited 03-09-2019 08:06 PM
Why does the following config not generate any interesting traffic when I ping 10.40.10.117 from 192.168.100.161?
I have crypto debugging on and there doesn't seem to be any attempt to bring up the tunnel. I have verified that it is hitting the correct access-list and that it is NATing correctly, but there is no attempt to bring up the tunnel. I would love to hear any insight into this problem.
Thanks.
-pk
(I cut out parts I felt were insignificant to the problem.)
---------------------------------------
name 192.168.100.161 Phil
object-group network AddressesAllowed
description These are addresses that are allowed through the VPN firewall.
network-object 10.40.10.118 255.255.255.255
network-object 10.40.110.71 255.255.255.255
network-object 10.48.10.37 255.255.255.255
network-object 10.48.10.38 255.255.255.255
network-object 192.168.41.31 255.255.255.255
network-object 192.168.41.32 255.255.255.255
network-object 10.46.0.15 255.255.255.255
network-object 10.46.0.19 255.255.255.255
network-object 10.40.10.117 255.255.255.255
network-object 10.46.0.1 255.255.255.255
access-list polnat161 permit ip host Phil object-group AddressesAllowed
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.44.3.161 access-list polnat161 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address polnat161
crypto map outside_map 40 set peer 21.54.52.112
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 40 set security-association lifetime seconds 21600 kilobytes 4608000
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 21.54.52.112 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 3600
Solved! Go to Solution.
02-14-2008 02:55 PM
Hi Philip
Your previous was and current config is OK except one thing. You translate Philip to 10.44.3.161 when internal IP tries to reach any of the networks listed in AddressesAllowed thats fine.
But you say your crypto to establish a tunnel when Philip tries to reach AddressesAllowed. But Philip is translated! So it is not the IP that originates the traffic. It is 10.44.3.161 . So you should do the following modification
address-list int_traffic_40 permit ip host 10.44.3.161 object-group AddressesAllowed
no crypto map outside_map 40 match address polnat161
crypto map outside_map 40 match address int_traffic_40
Regards
02-14-2008 12:06 PM
pk
Perhaps you can clarify which addresses are inside and which are outside? Is Phil inside and the allowed addresses outside?
I wonder about having the static command use the same access list that you are using for the VPN interesting traffic:
static (inside,outside) 10.44.3.161 access-list polnat161 0 0
I do not have enough information about your environment and your requirements to know if this is right. But I wonder what happens to VPN is you remove or change it?
HTH
Rick
02-14-2008 12:27 PM
Thanks for replying Rick.
The situation has changed slightly and I'll post that config at the end of this, but let me give you some background at what I'm trying to accomplish.
My internal network is 192.168.100.0 /24. For all normal traffic exiting the firewall, we run PAT from one public IP address. In this case, we want to set up a VPN tunnel to a another network and perform NAT for those transmissions. For instance, my IP is 192.168.100.161. When I ping google, they see me as the PAT public IP (we'll say 79.79.159.43). When I ping one of the AllowedAddress (internal IPs to the network on the other side of the tunnel) on the other end of the tunnel, I want them to see 10.44.3.161. I've tried various configurations to accomplish this and I've had the NAT working, but at no point does the VPN tunnel try to initiate itself. We have two site-to-site VPNs setup. The one that isn't working is with peer 45.56.78.89. Here is my latest attempt, let me know what you think.
[As you can see the static command has been removed and replaced with a nat command]
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
names
name 192.168.100.161 Phil
object-group network AddressesAllowed
description These are UL addresses that are allowed through the VPN firewall.
network-object 10.40.10.118 255.255.255.255
network-object 10.40.110.71 255.255.255.255
network-object 10.48.10.37 255.255.255.255
network-object 10.48.10.38 255.255.255.255
network-object 192.168.41.31 255.255.255.255
network-object 192.168.41.32 255.255.255.255
network-object 10.46.0.15 255.255.255.255
network-object 10.46.0.19 255.255.255.255
network-object 10.40.10.117 255.255.255.255
network-object 10.46.0.1 255.255.255.255
access-list inbound-acl permit icmp any any echo-reply
access-list inbound-acl permit icmp any any time-exceeded
access-list inbound-acl permit icmp any any unreachable
access-list inbound-acl deny ip any any
access-list inside_outbound_nat0_acl permit ip object-group trusted_hosts 46.57.44.19 255.255.255.192
access-list outside_cryptomap_20 permit ip object-group trusted_hosts 46.57.44.19 255.255.255.192
access-list polnat161 permit ip host Phil object-group AddressesAllowed
icmp permit any outside
ip address outside 79.79.159.43 255.255.255.224
ip address inside 192.168.100.1 255.255.255.0
global (outside) 1 interface
global (outside) 2 10.44.3.161
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2 access-list polnat161 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inbound-acl in interface outside
route outside 0.0.0.0 0.0.0.0 209.252.79.1 1
http server enable
http 192.168.100.0 255.255.255.0 inside
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 43.119.78.59
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address polnat161
crypto map outside_map 40 set peer 45.56.78.89
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 40 set security-association lifetime seconds 21600 kilobytes 4608000
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 43.119.78.59 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 45.56.78.89 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 3600
02-14-2008 02:55 PM
Hi Philip
Your previous was and current config is OK except one thing. You translate Philip to 10.44.3.161 when internal IP tries to reach any of the networks listed in AddressesAllowed thats fine.
But you say your crypto to establish a tunnel when Philip tries to reach AddressesAllowed. But Philip is translated! So it is not the IP that originates the traffic. It is 10.44.3.161 . So you should do the following modification
address-list int_traffic_40 permit ip host 10.44.3.161 object-group AddressesAllowed
no crypto map outside_map 40 match address polnat161
crypto map outside_map 40 match address int_traffic_40
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide