Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1190
Views
0
Helpful
5
Replies

Cisco PIX 515E Access List, NAT, and VPN Issue

eric_hanke
Level 1
Level 1

‎11-28-2008 06:00 AM - edited ‎03-11-2019 07:19 AM

I recently inherited management of a Cisco PIX 515E Firewall running IOS version 6.1(4). The PIX has very broad ACL's for NAT.

They include:

access-list ipsec permit ip 10.2.1.0 255.255.255.0 10.10.100.0 255.255.254.0

access-list nonat permit ip 10.2.1.0 255.255.255.0 10.10.100.0 255.255.254.0

access-list nonat permit ip 10.2.1.0 255.255.255.0 10.10.102.0 255.255.254.0

access-list nonat permit ip 10.2.4.0 255.255.255.0 10.10.102.0 255.255.254.0

access-list bcvpn permit ip 10.2.1.0 255.255.255.0 10.10.102.0 255.255.254.0

access-list bcvpn permit ip 10.2.4.0 255.255.255.0 10.10.102.0 255.255.254.0

nat (inside) 0 access-list nonat

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

The PIX already has two IPSEC VPN's created. One “matches” access-list ipsec, the other access-list bcvpn.

The problem I am running into is that I need to create an additional VPN with another site that uses a 10.1.0.0 /16 network. When I add my access-list for NAT and “match” I lose all connectivity to the PIX, even from the outside using SSH.

The access-list entries I am adding are:

access-list TPIMilford permit ip 10.2.1.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list TPIGAP permit ip 10.2.1.0 255.255.255.0 192.168.95.0 255.255.255.0

access-list TPIGAP permit ip 10.2.1.0 255.255.255.0 192.168.96.0 255.255.255.0

access-list TPIGAP permit ip 10.2.1.0 255.255.255.0 192.168.97.0 255.255.255.0

access-list nonat permit ip 10.2.1.0 255.255.255.0 192.168.95.0 255.255.255.0

access-list nonat permit ip 10.2.1.0 255.255.255.0 192.168.96.0 255.255.255.0

access-list nonat permit ip 10.2.1.0 255.255.255.0 192.168.97.0 255.255.255.0

access-list nonat permit ip 10.2.1.0 255.255.255.0 10.1.0.0 255.255.0.0

Do I need to modify “NAT (inside) 1 10.0.0.0 255.0.0.0?

Thanks in advance,

Eric Hanke

Labels:
0 Helpful
5 Replies 5

ariesc_33
Level 1
Level 1

‎11-28-2008 07:12 AM

hi, yes i think you answered your own question.if you look at the NAT statement, the FW will check first on ip network that are not going to be natted (nonat) and another thing, the last acl above will confuse your routing.are the following segment not in used on your internal network?

10.1.0.0/16

10.2.0.0/16

10.3.0.0/16

if yes, you can modify your nat to

nat (inside) 1 10.4.0.0 255.252.0.0 0 0

0 Helpful

eric_hanke
Level 1
Level 1
In response to ariesc_33

‎12-01-2008 09:46 PM

Thank you for the reply.

In order to avoid losing access to the PIX, it's approximately 300 miles away, I need to confirm the order of commands:

The 10.2.0.0/24 network is inside the PIX:

ip address inside 10.2.1.1 255.255.255.0

Here are the steps as I see them:

Delete the vague NAT entry

no nat (inside) 1 10.0.0.0 255.0.0.0

nat (inside) 1 10.2.0.0 255.255.255.0

then complete with:

access-list TPIMilford permit ip 10.2.1.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list TPIGAP permit ip 10.2.1.0 255.255.255.0 192.168.95.0 255.255.255.0

access-list TPIGAP permit ip 10.2.1.0 255.255.255.0 192.168.96.0 255.255.255.0

access-list TPIGAP permit ip 10.2.1.0 255.255.255.0 192.168.97.0 255.255.255.0

access-list nonat permit ip 10.2.1.0 255.255.255.0 192.168.95.0 255.255.255.0

access-list nonat permit ip 10.2.1.0 255.255.255.0 192.168.96.0 255.255.255.0

access-list nonat permit ip 10.2.1.0 255.255.255.0 192.168.97.0 255.255.255.0

access-list nonat permit ip 10.2.1.0 255.255.255.0 10.1.0.0 255.255.0.0

nat (inside) 0 access-list nonat

isakmp key TPICisco address *.*.*.* netmask 255.255.255.255

isakmp key TPICisco address *.*.*.* netmask 255.255.255.255

crypto map transam 3 ipsec-isakmp

crypto map transam 3 match address TPIMilford

crypto map transam 3 set peer 12.39.0.68

crypto map transam 3 set transform-set CISCOPIX

crypto map transam 4 ipsec-isakmp

crypto map transam 4 match address TPIGAP

crypto map transam 4 set peer 209.120.251.34

crypto map transam 4 set transform-set CISCOPIX

ssh 72.2.145.240 255.255.255.0 outside

ssh 209.120.251.59 255.255.255.0 outside

crypto ipsec transform-set dbtrans esp-des esp-md5-hmac

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 2

Thanks for the assistance. I just need to be sure of the order of everything so I don't lose access to the device.

***EDIT***

Is it recommended that I clear XLATE or clear ARP during this process???

Eric Hanke

0 Helpful

Mo'ath Al Rawashdeh
Level 1
Level 1
In response to eric_hanke

‎12-02-2008 04:24 AM

Hi Eric,

On which interfaces are these ACLs applied:

access-list TPIMilford permit ip 10.2.1.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list TPIGAP permit ip 10.2.1.0 255.255.255.0 192.168.95.0 255.255.255.0

access-list TPIGAP permit ip 10.2.1.0 255.255.255.0 192.168.96.0 255.255.255.0

access-list TPIGAP permit ip 10.2.1.0 255.255.255.0 192.168.97.0 255.255.255.0

And in what direction (inbound/outbound)?

As i'm afraid there is something wrong with your traffic ACLs

Cheers,

0 Helpful

eric_hanke
Level 1
Level 1
In response to Mo'ath Al Rawashdeh

‎12-02-2008 05:37 AM

These ACL's are used to "match" traffic for the VPN's:

crypto map transam 3 match address TPIMilford

access-list TPIMilford permit ip 10.2.1.0 255.255.255.0 10.1.0.0 255.255.0.0

crypto map transam 4 match address TPIGAP

access-list TPIGAP permit ip 10.2.1.0 255.255.255.0 192.168.95.0 255.255.255.0

access-list TPIGAP permit ip 10.2.1.0 255.255.255.0 192.168.96.0 255.255.255.0

access-list TPIGAP permit ip 10.2.1.0 255.255.255.0 192.168.97.0 255.255.255.0

0 Helpful

Mo'ath Al Rawashdeh
Level 1
Level 1
In response to eric_hanke

‎12-02-2008 04:25 AM

"no nat (inside) 1 10.0.0.0 255.0.0.0

nat (inside) 1 10.2.0.0 255.255.255.0"

the second line has to have a 255.255.0.0 mask.

"Is it recommended that I clear XLATE or clear ARP during this process???"

No need to clear xlate.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card