IPSec VPN with no NAT

Answered Question
May 1st, 2009
User Badges:

Hey guys, I've never run into this before so I thought I'd ask before wrapping up the config. I've got 2 firewalls (PIX 501) that are going to be purely point-to-point VPN devices. I want them to pass no traffic that isn't encrypted and destined for the subnets at the end of the tunnel. (no NAT for inside hosts or anything else, just the encrypted traffic)


My question is: do I need to define NAT and then put an ACL on the interfaces to block all other traffic, or will the firewalls pass the encrypted traffic through the tunnel without any NAT statements?


Thanks!


-Sean

Correct Answer by Jon Marshall about 8 years 3 weeks ago

Sean


You don't have an access-list allowing the traffic on your outside interface so once the traffic is decrypted it will be dropped because you need an acl to go from a lower to higher security interface.


You have 2 options, bit like last time :-),


1) add an access-list to the outside interface of each pix allowing the traffic


2) add this command to each pix "sysopt connection permit-ipsec"


It is important to understand what this command does. It allows IPSEC traffic to bypass any acl's configured on your interfaces.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Fri, 05/01/2009 - 15:41
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Sean


Presumably your VPN will terminate on the outside interfaces of your pix 501s ?


You would need NAT statements because on v6.x of pix code for traffic to go from a lower security interface ie. outside to a higher security interface ie. inside you need static statements.


So lets say your internal network at site1 on pix1 is 192.168.5.0/24 and your internal network at site2 on pix2 is 192.168.6.0/24


2 options -


1)


pix1


static (inside,outside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0


pix2


static (inside,outside) 192.168.6.0 192.168.6.0 netmask 255.255.255.0




2)


pix1


access-list vpntraffic permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.255.0


nat (inside) 0 access-list vpntraffic


pix 2


access-list vpntraffic permit ip 192.168.6.0 255.255.255.0 192.168.5.0 255.255.255.0


nat (inside) 0 access-list vpntraffic


Jon

pondersean Sun, 05/03/2009 - 11:49
User Badges:

Thanks Jon! That seems to have done the trick, but for some reason IPSec traffic is not passing. I can see the SAs being built, but traffic is not getting encrypted and sent across the tunnel. Here is the config from one of the PIXs, plus the output from "sh crypto ipsec sa". Both PIXs are configured the same, but obviously with the different IP addresses. All interfaces are talking properly (the peers can ping each other). Any help is greatly appreciated.


Thanks!





Attachment: 
Correct Answer
Jon Marshall Mon, 05/04/2009 - 02:25
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Sean


You don't have an access-list allowing the traffic on your outside interface so once the traffic is decrypted it will be dropped because you need an acl to go from a lower to higher security interface.


You have 2 options, bit like last time :-),


1) add an access-list to the outside interface of each pix allowing the traffic


2) add this command to each pix "sysopt connection permit-ipsec"


It is important to understand what this command does. It allows IPSEC traffic to bypass any acl's configured on your interfaces.


Jon

pondersean Mon, 05/04/2009 - 14:55
User Badges:

Thanks Jon! Can't believe I forgot the sysopt statement, I appreciate you taking the time to look at the config. :)

Actions

This Discussion