IPSec VPN with no NAT

Answered Question
May 1st, 2009

Hey guys, I've never run into this before so I thought I'd ask before wrapping up the config. I've got 2 firewalls (PIX 501) that are going to be purely point-to-point VPN devices. I want them to pass no traffic that isn't encrypted and destined for the subnets at the end of the tunnel. (no NAT for inside hosts or anything else, just the encrypted traffic)

My question is: do I need to define NAT and then put an ACL on the interfaces to block all other traffic, or will the firewalls pass the encrypted traffic through the tunnel without any NAT statements?

Thanks!

-Sean

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 8 months ago

Sean

You don't have an access-list allowing the traffic on your outside interface so once the traffic is decrypted it will be dropped because you need an acl to go from a lower to higher security interface.

You have 2 options, bit like last time :-),

1) add an access-list to the outside interface of each pix allowing the traffic

2) add this command to each pix "sysopt connection permit-ipsec"

It is important to understand what this command does. It allows IPSEC traffic to bypass any acl's configured on your interfaces.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Fri, 05/01/2009 - 15:41

Sean

Presumably your VPN will terminate on the outside interfaces of your pix 501s ?

You would need NAT statements because on v6.x of pix code for traffic to go from a lower security interface ie. outside to a higher security interface ie. inside you need static statements.

So lets say your internal network at site1 on pix1 is 192.168.5.0/24 and your internal network at site2 on pix2 is 192.168.6.0/24

2 options -

1)

pix1

static (inside,outside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0

pix2

static (inside,outside) 192.168.6.0 192.168.6.0 netmask 255.255.255.0

2)

pix1

access-list vpntraffic permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.255.0

nat (inside) 0 access-list vpntraffic

pix 2

access-list vpntraffic permit ip 192.168.6.0 255.255.255.0 192.168.5.0 255.255.255.0

nat (inside) 0 access-list vpntraffic

Jon

pondersean Sun, 05/03/2009 - 11:49

Thanks Jon! That seems to have done the trick, but for some reason IPSec traffic is not passing. I can see the SAs being built, but traffic is not getting encrypted and sent across the tunnel. Here is the config from one of the PIXs, plus the output from "sh crypto ipsec sa". Both PIXs are configured the same, but obviously with the different IP addresses. All interfaces are talking properly (the peers can ping each other). Any help is greatly appreciated.

Thanks!

Attachment: 
Correct Answer
Jon Marshall Mon, 05/04/2009 - 02:25

Sean

You don't have an access-list allowing the traffic on your outside interface so once the traffic is decrypted it will be dropped because you need an acl to go from a lower to higher security interface.

You have 2 options, bit like last time :-),

1) add an access-list to the outside interface of each pix allowing the traffic

2) add this command to each pix "sysopt connection permit-ipsec"

It is important to understand what this command does. It allows IPSEC traffic to bypass any acl's configured on your interfaces.

Jon

pondersean Mon, 05/04/2009 - 14:55

Thanks Jon! Can't believe I forgot the sysopt statement, I appreciate you taking the time to look at the config. :)

Actions

This Discussion