tunnel and acl

Answered Question
Oct 22nd, 2008

VPN Parameters site to site vpn

pix remote end point is XXX.XXX.80.108

pix remote network is 192.168.50.0/24

pix will need to make ACL from 172.24.176.9 to host 192.168.50.83 and 192.168.50.86

pix will need to NAT intresting traffic to 172.24.176.0 /24

pix remote

Phase 1

Authentication: Pre-Shared

Encryption: 3DES

Hash: SHA

DH: 1

Lifetime: 86400 sec

Phase 2

ESP encryption 3DES

ESP authentication

Lifetime 28800

I tried different acl configureation and I still have problems creating a tunnel.

I attached the configuration of local pix

Attachment: 
I have this problem too.
0 votes
Correct Answer by husycisco about 8 years 1 month ago

Hello Casey,

Two things; first, as Arul mentioned, you already exempt the translation and it never reaches your policy nat. Second, although you remove that exempt statement, traffic will flow through nat&global #1 first since you specified 0.0.0.0 0.0.0.0 and it wont reach nat&global #5 which is your policy nat. Here is my recommendation

no nat (inside) 0 access-list nonat

no access-list nonat permit ip 192.168.0.0 255.255.255.0 172.24.176.0 255.255.255.0

no access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0

no nat (inside) 5 access-list policynat 0 0

no global (outside) 5 172.24.176.9

nat (inside) 5 0 0

global (outside) 5 interface

no nat (inside) 1 0 0

no global (outside) 1 interface

nat (inside) 1 access-list policynat

global (outside) 1 172.24.176.9

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
ajagadee Wed, 10/22/2008 - 16:15

Casey,

If you are NATTing and then encrypting the traffic, you really dont need NONAT Command.

Is it possible to remove the below line from the configuration and try to bring up the tunnel.

access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0

Regards,

Arul

*Pls rate if it helps*

Correct Answer
husycisco Wed, 10/22/2008 - 16:50

Hello Casey,

Two things; first, as Arul mentioned, you already exempt the translation and it never reaches your policy nat. Second, although you remove that exempt statement, traffic will flow through nat&global #1 first since you specified 0.0.0.0 0.0.0.0 and it wont reach nat&global #5 which is your policy nat. Here is my recommendation

no nat (inside) 0 access-list nonat

no access-list nonat permit ip 192.168.0.0 255.255.255.0 172.24.176.0 255.255.255.0

no access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0

no nat (inside) 5 access-list policynat 0 0

no global (outside) 5 172.24.176.9

nat (inside) 5 0 0

global (outside) 5 interface

no nat (inside) 1 0 0

no global (outside) 1 interface

nat (inside) 1 access-list policynat

global (outside) 1 172.24.176.9

c-drozd Wed, 10/22/2008 - 17:09

Will the local pix able to access the internet for email etc?

ajagadee Wed, 10/22/2008 - 17:25

Casey,

Yes, because all your internal traffic destined to internet will get NATTed to the outside interface and get routed accordingly.

Regards,

Arul

*Pls rate if it helps*

c-drozd Thu, 10/23/2008 - 15:15

The tunnel work no problems accept the tech folks left me this email.

I'm attempting to ping your NAT'd IP address and this is unreachable on our end. Please be sure that your security device allows traffic initiated from us as well.

Actions

This Discussion