12-31-2007 01:09 PM - edited 03-12-2019 05:55 PM
I'm administering a small business network across two offices. Both offices have a PIX501 firewall. Right now we have a working PIX to PIX VPN tunnel between offices and everything is working great. But I am trying to get remove VPN access working for people outside the office with laptops and Cisco VPN Client software. My problem is with NAT 0. I have an access group for the PIX to PIX VPN and an access group for the VPN Client. I can get either VPN to work depending on which access list the NAT 0 statement has, but I can't get both groups to work at the same time. If I put one of the remote clients into the PIX to PIX access group, the remote client connects, but there is no network access. Can someone look at my config and help me??
12-31-2007 03:33 PM
nat 0 can only take one acl. combine them both and use just the one acl for nat 0.
01-03-2008 12:26 PM
I've tried this with only one access list. .... see the last couple of sentences in my first post. But I did it again just to make sure. Please see attached config.
And I still have same problem. PIX-to-PIX VPN from other office works fine. But remote VPN from Cisco Client has problems. The VPN tunnel does connect. But the remote PC is not getting connected to the local network. I think there is some kind of routing problem here. But the remote client connected just fine to my server when it had its own access list and the nat 0 set to it, which also, of course, killed the PIX-to-PIX vpn.
01-03-2008 12:31 PM
Not a nat 0 problem. Add this to your pix...
isakmp nat-traversal
01-03-2008 12:41 PM
It would seem more scalable and cleaner, in my opinion, to add a no_nat acl with 192.168.2.0/24 and 192.168.4.0/24 and put that in your nat 0 config. Then change your VPN client pool back to 192.168.4.0/24.
01-03-2008 12:44 PM
I agree Adam. Change your pool back and add nat-traversal and you should be good to go.
01-03-2008 01:00 PM
OK ... this makes total sense to me. What doesn't make sense is a no_nat acl with two destination addresses. I can't decode anything like this out of my 6.3 cmd ref. Can you show me what such an access-list command statement would look like??
01-03-2008 01:12 PM
access-list nonat permit ip Main 192.168.2.0 255.255.255.0
access-list nonat permit ip Main 192.168.4.0 255.255.255.0
nat (inside) 0 access-list nonat
01-03-2008 01:15 PM
It should look something like:
access-list acl_no_nat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list acl_no_nat permit ip 192.688.1.0 255.255.255.0 192.168.4.0 255.255.255.0
nat (inside) 0 access-list acl_no_nat
the no NAT access-list can have many destination subnets or IPs in it. All it does is tell the PIX not to NAT traffic going from 192.168.1.0/24 to West or to VPN clients. For example, if you add another site to site VPN you will need to add another line in the acl_no_nat access-list:
access-list acl_no_nat permit ip 192.168.1.0 255.255.255.0
01-04-2008 06:09 AM
Thanks Adam ... it is simple. It just wasn't clear to me that multiple statements could be assigned to the same acl. And its right there in the manual ... second sentence in the Access List Usage. Need to knock down some glass walls in my head and read a little closer.
01-23-2008 07:02 AM
01-23-2008 07:31 AM
I would recommend changing your vpnwest ip pool to the RmtVPN subnet (192.168.4.0) and then adding an access-list for just no-nat. For example:
remove: access-list vpn_west permit ip ESIMain 255.255.255.0 RmtVPN 255.255.255.0
add: access-list no-nat permit ip ESIMain 255.255.255.0 ESIWest 255.255.255.0
add: access-list no-nat permit ip ESIMain 255.255.255.0 RmtVPN 255.255.255.0
remove: nat (inside) 0 access-list vpn_west
add: nat (inside) 0 access-list no-nat
remove: ip local pool vpnwest 192.168.2.100-192.168.2.110
add: ip local pool rmtvpn 192.168.4.100-192.168.4.110
remove: vpngroup vpnwest address-pool vpnwest
add: vpngroup vpnwest address-pool rmtvpn
remove: vpngroup makvpn address-pool vpnwest
add: vpngroup makvpn address-pool rmtvpn
A lot of this is cosmetics but it will help when troubleshooting. You shouldn't need an access-list on your outside interface to allow remote vpn access to it. Once the client is connected I believe they will have full access to your 192.168.1.0/24 network in this configuration. Are you wanting to restrict this access?
01-23-2008 08:36 AM
As long as you have "sysopt connection permit-ipsec" there is no need to define an access-list to allow traffic from the vpn client as all traffic will be allowed.
01-23-2008 10:10 AM
Before I discovered the use of multiple access-list commands for one access access group, I had tried the setup you described. It didn't work. The VPN from the west office is different: its a PIX to PIX VPN tunnel that I found docs for on Cisco's site. I believe it works differently from the connections from the VPN Client software that's out on remote laptops. The west office is on 192.168.2.0 and it appears if I remove that network from the config, the VPN from there will not connect. I've attached both the doc I got this from and the config from the west office router. Using the configs in this doc was the only way I could get the PIX-to-PIX VPN to work .... all the other VPN docs were wrong.
01-23-2008 01:41 PM
It looks as though, based off the provided config, that you are NAT'ing traffic that is supposed to go over the VPN tunnel. You are going to want to have a no-nat access-list on the WestPIX also:
access-list no-nat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list no-nat
Also, you will want to enable sysopt connection permit-ipsec for the tunnel to come up with your current configuration.
sysopt connection permit-ipsec
You will also need to enable your crypto and isakmp commands again. Issue the same commands that are in your WestPIX config with the no crypto... and no isakmp... without the "no" in front. The following command will need to change also:
crypto map outside_map 20 match address inside_outbound_nat0_acl
to:
crypto map outside_map 20 match address no-nat
This is due to the access-list inside_outbound_nat0_acl not existing.
I hope this helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: