tunnel and acl

Answered Question
Oct 22nd, 2008
User Badges:

VPN Parameters site to site vpn


pix remote end point is XXX.XXX.80.108

pix remote network is 192.168.50.0/24


pix will need to make ACL from 172.24.176.9 to host 192.168.50.83 and 192.168.50.86


pix will need to NAT intresting traffic to 172.24.176.0 /24


pix remote

Phase 1

Authentication: Pre-Shared

Encryption: 3DES

Hash: SHA

DH: 1

Lifetime: 86400 sec


Phase 2

ESP encryption 3DES

ESP authentication

Lifetime 28800


I tried different acl configureation and I still have problems creating a tunnel.

I attached the configuration of local pix



Attachment: 
Correct Answer by husycisco about 8 years 9 months ago

Hello Casey,

Two things; first, as Arul mentioned, you already exempt the translation and it never reaches your policy nat. Second, although you remove that exempt statement, traffic will flow through nat&global #1 first since you specified 0.0.0.0 0.0.0.0 and it wont reach nat&global #5 which is your policy nat. Here is my recommendation




no nat (inside) 0 access-list nonat

no access-list nonat permit ip 192.168.0.0 255.255.255.0 172.24.176.0 255.255.255.0

no access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0

no nat (inside) 5 access-list policynat 0 0

no global (outside) 5 172.24.176.9

nat (inside) 5 0 0

global (outside) 5 interface

no nat (inside) 1 0 0

no global (outside) 1 interface

nat (inside) 1 access-list policynat

global (outside) 1 172.24.176.9

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
ajagadee Wed, 10/22/2008 - 16:15
User Badges:
  • Cisco Employee,

Casey,


If you are NATTing and then encrypting the traffic, you really dont need NONAT Command.


Is it possible to remove the below line from the configuration and try to bring up the tunnel.


access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0


Regards,

Arul


*Pls rate if it helps*

Correct Answer
husycisco Wed, 10/22/2008 - 16:50
User Badges:
  • Gold, 750 points or more

Hello Casey,

Two things; first, as Arul mentioned, you already exempt the translation and it never reaches your policy nat. Second, although you remove that exempt statement, traffic will flow through nat&global #1 first since you specified 0.0.0.0 0.0.0.0 and it wont reach nat&global #5 which is your policy nat. Here is my recommendation




no nat (inside) 0 access-list nonat

no access-list nonat permit ip 192.168.0.0 255.255.255.0 172.24.176.0 255.255.255.0

no access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0

no nat (inside) 5 access-list policynat 0 0

no global (outside) 5 172.24.176.9

nat (inside) 5 0 0

global (outside) 5 interface

no nat (inside) 1 0 0

no global (outside) 1 interface

nat (inside) 1 access-list policynat

global (outside) 1 172.24.176.9

c-drozd Wed, 10/22/2008 - 17:09
User Badges:

Will the local pix able to access the internet for email etc?

ajagadee Wed, 10/22/2008 - 17:25
User Badges:
  • Cisco Employee,

Casey,


Yes, because all your internal traffic destined to internet will get NATTed to the outside interface and get routed accordingly.


Regards,

Arul


*Pls rate if it helps*

c-drozd Thu, 10/23/2008 - 15:15
User Badges:

The tunnel work no problems accept the tech folks left me this email.

I'm attempting to ping your NAT'd IP address and this is unreachable on our end. Please be sure that your security device allows traffic initiated from us as well.


Actions

This Discussion