Remote Access VPN - NAT to DMZ

Unanswered Question
Jul 20th, 2012
User Badges:

Hi All -


I am a complete routing/firewall newbie.  I just purchased a pix 515e running pix software 8.0(4). I've set it up with an outside, inside, and dmz network.  I use NAT between the inside network and the dmz and PAT from the inside network to the ouside network like so:


global (outside) 100 interface

global (dmz) 100 10.10.20.11-10.10.20.20 netmask 255.255.255.0


nat (inside) 100 10.10.10.0 255.255.255.0


I also have a remote access vpn setup with no NAT between the vpn and the inside network, as follows


ip local pool vpn_pool 192.168.1.3-192.168.1.254 mask 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound


I would like to us NAT between the vpn and the dmz, as I do between inside and dmz (basically, I want vpn traffic to be treated the same as trafic on the inside network - with either the same or a different global pool as used on the inside), but everything I do causes some side effect I was not expecting or just doesn't work.


Following this guide -

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b33101.shtml - I tried:


global (dmz) 200 interface
nat (outside) 200 192.168.1.0 255.255.255.0 outside


That worked to translate trafic going to the dmz from the vpn, but it seems to have broken my access to the inside network from the vpn, and it also seems to have overridden the PAT between the inside and the outside network.  When I try to access the inside network from the vpn, I get messages in the syslog saying "portmap translation creation failed for tcp src outside:192.168.1.3/41327 dst inside:10.10.10.2/80"" - so it seems that my NAT exemption rule has been overridden, and it's trying to do PAT, but can't.  When I try to access any address on the internet from the inside network, I get "No translation group found for udp src inside:10.10.10.2/48208 dst outside:[public ip address/port]", so my PAT rule to allow access to the internet seems to have been overridden. Using an address pool on the dmz network rather than PAT to the dmz interface address had the same effect.


I also tried instead using an access list to limit the dmz portmap to traffic heading for the dmz, thinking that would prevent vpn traffic headed for the inside networks from getting translated.


access-list outside_nat_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.20.0 255.255.255.0

global (dmz) 200 interface

nat (outside) 200 access-list outside_nat_outbound outside


This didn't break anything else, at least, but it didn't work to translate the vpn traffic to the dmz either.  Now when I try to access the dmz, I get: "No translation group found for tcp src outside:192.168.1.3/43717 dst dmz:10.10.20.2/80". I don't understand why it doesn't apply my nat (outside) 200 rule to this traffic.


Finally, I tried a static translation rule, but that gave me the same error as the dynamic rule:


access-list outside_nat_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.20.0 255.255.255.0

static (outside,dmz) 10.10.20.0  access-list outside_nat_outbound


Is what I want to do possible? What am I missing?


Thanks in advance for any help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Sun, 07/22/2012 - 04:07
User Badges:
  • Cisco Employee,

You would also need to configure NAT exemption for the DMZ towards the VPN because you are trying to NAT the destination (vpn pool), and you still need to configure NAT exemption for the source network (DMZ) in conjunction with the dynamic NAT.


access-list nonat-dmz permit ip 10.10.20.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (dmz) 0 access-list nonat-dmz


As well as the NAT that you already configured earlier:

global (dmz) 200 interface
nat (outside) 200 192.168.1.0 255.255.255.0 outside

Actions

This Discussion

Related Content