cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
442
Views
5
Helpful
5
Replies

tunnel and acl

c-drozd
Level 1
Level 1

VPN Parameters site to site vpn

pix remote end point is XXX.XXX.80.108

pix remote network is 192.168.50.0/24

pix will need to make ACL from 172.24.176.9 to host 192.168.50.83 and 192.168.50.86

pix will need to NAT intresting traffic to 172.24.176.0 /24

pix remote

Phase 1

Authentication: Pre-Shared

Encryption: 3DES

Hash: SHA

DH: 1

Lifetime: 86400 sec

Phase 2

ESP encryption 3DES

ESP authentication

Lifetime 28800

I tried different acl configureation and I still have problems creating a tunnel.

I attached the configuration of local pix

1 Accepted Solution

Accepted Solutions

Hello Casey,

Two things; first, as Arul mentioned, you already exempt the translation and it never reaches your policy nat. Second, although you remove that exempt statement, traffic will flow through nat&global #1 first since you specified 0.0.0.0 0.0.0.0 and it wont reach nat&global #5 which is your policy nat. Here is my recommendation

no nat (inside) 0 access-list nonat

no access-list nonat permit ip 192.168.0.0 255.255.255.0 172.24.176.0 255.255.255.0

no access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0

no nat (inside) 5 access-list policynat 0 0

no global (outside) 5 172.24.176.9

nat (inside) 5 0 0

global (outside) 5 interface

no nat (inside) 1 0 0

no global (outside) 1 interface

nat (inside) 1 access-list policynat

global (outside) 1 172.24.176.9

View solution in original post

5 Replies 5

ajagadee
Cisco Employee
Cisco Employee

Casey,

If you are NATTing and then encrypting the traffic, you really dont need NONAT Command.

Is it possible to remove the below line from the configuration and try to bring up the tunnel.

access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0

Regards,

Arul

*Pls rate if it helps*

Hello Casey,

Two things; first, as Arul mentioned, you already exempt the translation and it never reaches your policy nat. Second, although you remove that exempt statement, traffic will flow through nat&global #1 first since you specified 0.0.0.0 0.0.0.0 and it wont reach nat&global #5 which is your policy nat. Here is my recommendation

no nat (inside) 0 access-list nonat

no access-list nonat permit ip 192.168.0.0 255.255.255.0 172.24.176.0 255.255.255.0

no access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0

no nat (inside) 5 access-list policynat 0 0

no global (outside) 5 172.24.176.9

nat (inside) 5 0 0

global (outside) 5 interface

no nat (inside) 1 0 0

no global (outside) 1 interface

nat (inside) 1 access-list policynat

global (outside) 1 172.24.176.9

Will the local pix able to access the internet for email etc?

Casey,

Yes, because all your internal traffic destined to internet will get NATTed to the outside interface and get routed accordingly.

Regards,

Arul

*Pls rate if it helps*

c-drozd
Level 1
Level 1

The tunnel work no problems accept the tech folks left me this email.

I'm attempting to ping your NAT'd IP address and this is unreachable on our end. Please be sure that your security device allows traffic initiated from us as well.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: