01-12-2009 01:23 PM
Hello,
I'm running into an interesting issue with a PIX 506E 6.3(4)
I created a VPN back to our central location, and implemented a policy-nat on the 506E to nat their local 192.168.1.0/24 IPs to 10.200.25.0/24. This NATing works fine except for the servers that also have a static external IP. I did some packet captures, and traffic is traversing the VPN as expected and making it to the remote end, but the replies are being nat'd to the "outside" ip of the host instead of the policy nat. I can ping other hosts on the remote network just fine from the central location, just not the ones that have a static external IP address.
Example:
10.10.7.1 is at my central site and tries to ping a server with an IP of 10.200.25.11 across the VPN. Traffic leaves the central site, is encrypted, and delivered to the remote firewall. THe remote firewall translates 10.200.25.11 -> 192.168.1.11 (THe server's REAL IP) and delivers the packet, and the server responds, but replies are being nat'd to it's public ip of 75.X.X.X instead of 10.200.25.11.
Any thoughs on how I can get around this issue?
Here's the relevant config:
access-list policy-nat line 1 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list policy-nat line 2 permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list policy-nat line 3 permit ip 192.168.1.0 255.255.255.0 10.10.7.0 255.255.255.0
access-list vpn-nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list vpn-nonat permit ip 192.168.1.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list vpn-nonat permit ip 192.168.1.0 255.255.255.0 10.100.11.0 255.255.255.0
nat (inside) 0 access-list vpn-nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 interface
static (inside,outside) 75.x.x.x 192.168.1.11 netmask 255.255.255.255 0 0
static (inside,outside) 10.200.25.0 access-list policy-nat 0 0
Solved! Go to Solution.
01-12-2009 02:05 PM
Try reordering your static rules:
Make the static policy the first one to be read by the pix
static (inside,outside) 10.200.25.0 access-list policy-nat 0 0
static (inside,outside) 75.x.x.x 192.168.1.11 netmask 255.255.255.255 0 0
See how that goes
01-12-2009 02:05 PM
Try reordering your static rules:
Make the static policy the first one to be read by the pix
static (inside,outside) 10.200.25.0 access-list policy-nat 0 0
static (inside,outside) 75.x.x.x 192.168.1.11 netmask 255.255.255.255 0 0
See how that goes
01-12-2009 02:36 PM
Hey, that worked. Thanks! I didn't realize that the statements would be followed in order. Learn somthing new every day.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: