×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Pix vpn NAT problems

Unanswered Question
Nov 19th, 2003
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Pix 515E ver 6.3(3).


I am using the pix to act as a vpn headend device for approx 60 sites ( 10 connected at present). For all of the sites connected so far i have been Natting the incoming source ip addresses. ie.


nat (outside) 1 172.16.1.0 255.255.255.0 outside

nat (outside) 2 172.16.2.0 255.255.255.0 outside


the corresponding global statements have been added


global (inside) 1 10.157.1.10

global (inside) 2 10.157.2.10


There is a static command for the server they are accessing and the vpn connections for these sites work fine.


However i just tried to connect a site who did the nat at their end and although the vpn tunnel came up no traffic was leaving the internal interface of the pix destined for the server for that connection. I then added a NAT & global statement for this connection


nat (outside) 3 10.157.3.10 255.255.255.255 outside

global (inside) 3 10.157.3.10


and the remote end could then access the server.


Should i have to do this and if not what am i missing from the config.


Any help would be much appreciated.


Thanks


Jon


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jsivulka Tue, 11/25/2003 - 09:19
User Badges:
  • Bronze, 100 points or more

The basic rules of PIX:

1) The packets crossing the PIX must satisfy the conditions of ASA (Higher to lower interface flows are explicitly allowed; lower to higher must be prmitted using acces-lists/conduits)

AND

2) The packets must satisfy the conditions of NAT (a mapping must exist or NAT 0 command must be used).

Jon Marshall Thu, 11/27/2003 - 04:32
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

well yes and no. The pix is acting as a headend device and the traffic is coming to the external interface


for example if i was configuring a site-to-site vpn normally, at the headend i would need a sysopt connection permit-ipsec command, an access-list for the crypto map entry and a static command(s) for the servers the vpn is giving access to. I would not need a nat statement for the source ip addresses as such, just a static mapping for the servers.


Normally you use the nat commands for inside to outside access. This is not what we are dealing with here.


Perhaps because i have explicitly used nat outside statements i need to be explicit also when i don't want to use NAT. I'll test it.



Actions

This Discussion