cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
283
Views
0
Helpful
2
Replies

Pix vpn NAT problems

Jon Marshall
Hall of Fame
Hall of Fame

Pix 515E ver 6.3(3).

I am using the pix to act as a vpn headend device for approx 60 sites ( 10 connected at present). For all of the sites connected so far i have been Natting the incoming source ip addresses. ie.

nat (outside) 1 172.16.1.0 255.255.255.0 outside

nat (outside) 2 172.16.2.0 255.255.255.0 outside

the corresponding global statements have been added

global (inside) 1 10.157.1.10

global (inside) 2 10.157.2.10

There is a static command for the server they are accessing and the vpn connections for these sites work fine.

However i just tried to connect a site who did the nat at their end and although the vpn tunnel came up no traffic was leaving the internal interface of the pix destined for the server for that connection. I then added a NAT & global statement for this connection

nat (outside) 3 10.157.3.10 255.255.255.255 outside

global (inside) 3 10.157.3.10

and the remote end could then access the server.

Should i have to do this and if not what am i missing from the config.

Any help would be much appreciated.

Thanks

Jon

2 Replies 2

jsivulka
Level 5
Level 5

The basic rules of PIX:

1) The packets crossing the PIX must satisfy the conditions of ASA (Higher to lower interface flows are explicitly allowed; lower to higher must be prmitted using acces-lists/conduits)

AND

2) The packets must satisfy the conditions of NAT (a mapping must exist or NAT 0 command must be used).

well yes and no. The pix is acting as a headend device and the traffic is coming to the external interface

for example if i was configuring a site-to-site vpn normally, at the headend i would need a sysopt connection permit-ipsec command, an access-list for the crypto map entry and a static command(s) for the servers the vpn is giving access to. I would not need a nat statement for the source ip addresses as such, just a static mapping for the servers.

Normally you use the nat commands for inside to outside access. This is not what we are dealing with here.

Perhaps because i have explicitly used nat outside statements i need to be explicit also when i don't want to use NAT. I'll test it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: