Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

VPN access-list, tranlation issue

I have this scenario with a PIX 525 6.3, this supposedly worked at one time:

I have a device on the inside network that needs to access a remote site network through a VPN tunnel.

Inside network device is 10.11.150.1, needs to access remote device 10.79.15.3.

The remote side is supposed to see my device as a 10.91.6.1 address, I am supposed to see his 10.79.15.3 as my destination.

The tunnel never attempts to come up, none of the access-lists show any hits at all, is there something missing?

It seems like a routing issue or access-list problem, all routes are correct, the firewall can ping my device on this end, but the access-lists never get hits.

crypto map p 30 ipsec-isakmp

crypto map p 30 match address Translate

crypto map p 30 set peer 1.23.45.67

crypto map p 30 set transform-set 3dessha

static (inside,outside) 10.91.6.1 access-list translation 0 0

access-list Translation permit ip host 10.11.150.1 10.79.8.0 255.255.248.0

access-list Translate permit ip 10.91.6.0 255.255.255.240 10.79.8.0 255.255.248.0

18 REPLIES
New Member

Re: VPN access-list, tranlation issue

what's the inside and outside IP of the vpn box (pix), and what's the private subnets of both side?

Based on your configuration the vpn works like" if source from 10.91.6.0 subnet want to visit destination 10.79.8.0 goes to vpn tunnel. then your side pix will connect peer 1.23.45.67 to initial ipsec tunnel"

New Member

Re: VPN access-list, tranlation issue

Thanks for the reply,

That is correct:

My source private inside address is:

10.11.150.1

Which is translated to 10.91.6.1 in the PIX on my end.

Which will establish a connection to his inside address:

10.79.15.3, he will see 10.91.6.1 as his destination endpoint for data.

My PIX has 1.23.45.67 as the peer (his end) for VPN tunnel.

The thing is, I do not see any of the translation or encryption access-lists getting hits on my end.

I can ping my source station (10.11.150.1)from the inside interface of the PIX.

Debugs show no attempt to build up the tunnel.

It kind of looks like a routing issue, or the access-lists on my end are not built right.

Unless, the access-lists will not show hits if his peer is not reachable.

is that possible? it seems even if the peer didn't exist at all, I would still se the tunnel attempt to build up.

Gold

Re: VPN access-list, tranlation issue

Richard,

Can you please post your configuration (taking out sensitive information).

Thanks,,

Gold

Re: VPN access-list, tranlation issue

The below should work for you, (policy NAT) basically when you initiate traffic from host 10.11.50.x IP it will be NATed (NAT happens before encryption) to global IP 10.91.6.1 (this is the IP that your customer will see as your LAN address). The crypto ACL will be triggered when it needs to send traffic to your peer LAN address of 10.79.8.x (your source address will be 10.91.6.1).

After you have made the below modification, issue: save wr m and also issue:

clear xlate

clear isakmp sa

clear ipsec sa

Note - the rest of your internal IP addresses will be NATed to global IP address (111.222.333.444) for normal outbound translation.

------------------------

access-list nat_to_customer permit ip host 10.11.50.x 10.79.8.0 255.255.248.0

access-list crypto_map_customer permit ip host 10.91.6.1 10.79.8.0 255.255.248.0

ip address outside 111.222.333.444 255.255.255.x

ip address inside 10.11.50.1 255.255.255.0

global (outside) 2 10.91.6.1

global (outside) 1 interface

nat (inside) 2 access-list nat_to_customer

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set test1 esp-3des esp-md5-hmac

crypto map testmap 1 ipsec-isakmp

crypto map testmap 1 match address crypto_map_customer

crypto map testmap 1 set peer 1.23.45.67

crypto map testmap 1 set transform-set test1

crypto map testmap 1 interface outside

isakmp enable outside

isakmp key address 1.23.45.67 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 3600

-----------------------

Hope this helps and if it does please rate posts!!

New Member

Re: VPN access-list, tranlation issue

Thanks for the reply,

Looking at your config post, it looks like maybe a NAT and Global addition is needed.

This is all there is relating to that tunnel:

crypto map p 30 ipsec-isakmp

crypto map p 30 match address diebold

crypto map p 30 set peer 65.196.80.7

crypto map p 30 set transform-set 3dessha

crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac

static (inside,outside) 10.91.6.1 access-list dieboldtranslation 0 0

access-list dieboldtranslation2 permit ip host 10.11.150.1 10.79.8.0 255.255.248.0

and you config shows:

global (outside) 2 10.91.6.1

global (outside) 1 interface

nat (inside) 2 access-list nat_to_customer

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

This is all I have currently:

global (outside) 1 interface

global (inside) 3 172.32.16.1

global (B) 1 192.168.1.254

global (C) 1 192.168.100.1

global (ftp) 1 10.1.40.249

nat (outside) 0 access-list nonatoutside outside

nat (outside) 3 access-list xxx outside 0 0

nat (inside) 0 access-list NO_NAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Are there supposed to be Global and associated NAT for each static translation?

New Member

Re: VPN access-list, tranlation issue

Basically I think your configuration is good. Please make sure the

access-list NO_NAT ("nat (inside) 0 access-list NO_NAT")

does not include the subnet "10.11.150.0". otherwise your static NAT would not work because the "nat 0" is higher order than static NAT.

New Member

Re: VPN access-list, tranlation issue

Thanks for the information?

Can you explain the NAT and Global relationship and how you cam about the "higher order" comment?

New Member

Re: VPN access-list, tranlation issue

What about me not seeing the access-lists on my end getting matched?

Shouldn't I have seen that? if the routing is correct?

New Member

Re: VPN access-list, tranlation issue

Cisco firewall matches local traffic to NAT commands in the following order:

1. 1. NAT exemption (nat 0 access-list)?In order, until the first match.

2. Static NAT and Static PAT (regular and policy) (static)?In order, until the first match.

3. Policy dynamic NAT (nat access-list)?In order, until the first match.

4. Regular dynamic NAT (nat)?Best match

In your case the outgoing traffic order is:

NAT 0-->static (inside,outside)-->nat (inside) 1 and will use the first match one.

I am not very sure the reason why hit==0, but i guess cisco firewall only consider the ACL applied on interface as real hit !!

New Member

Re: VPN access-list, tranlation issue

hey man, I appreciate you posts,

I just found this in the firewall log:

106011: Deny inbound (No xlate) tcp src inside:10.11.150.1/1673 dst inside:10.79.15.3/5202

here is my NO_NAT:

access-list NO_NAT permit ip host 10.1.10.25 host 12.8.22.233

access-list NO_NAT permit ip host 10.1.10.24 host 12.8.22.233

access-list NO_NAT permit ip host 10.1.74.1 host 12.8.22.233

access-list NO_NAT permit ip host 10.1.40.97 host 12.8.22.233

access-list NO_NAT permit ip host 10.1.40.99 host 12.8.22.233

access-list NO_NAT permit ip host 10.1.40.113 host 12.8.22.233

access-list NO_NAT permit ip host 10.1.40.108 host 12.8.22.233

access-list NO_NAT permit ip host 10.1.40.1 host 12.8.22.233

access-list NO_NAT permit ip host 192.168.207.3 host 192.168.204.8

access-list NO_NAT permit ip host 172.16.250.4 host 192.168.204.8

access-list NO_NAT permit ip 10.1.40.0 255.255.255.0 170.209.0.2 255.255.255.254

access-list NO_NAT permit ip 10.250.10.0 255.255.255.0 172.20.3.0 255.255.255.0

access-list NO_NAT permit ip 172.16.254.0 255.255.255.0 172.20.3.0 255.255.255.0

access-list NO_NAT permit ip 10.1.80.0 255.255.255.0 172.20.3.0 255.255.255.0

access-list NO_NAT permit ip 10.250.70.0 255.255.255.0 172.20.3.0 255.255.255.0

access-list NO_NAT permit ip 10.250.10.0 255.255.255.0 host 207.30.150.254

access-list NO_NAT permit ip 172.16.254.0 255.255.255.0 host 207.30.150.254

access-list NO_NAT permit ip 10.1.80.0 255.255.255.0 host 207.30.150.254

access-list NO_NAT permit ip 10.250.70.0 255.255.255.0 host 207.30.150.254

access-list NO_NAT permit ip any 10.1.0.0 255.255.255.0

access-list NO_NAT permit ip 10.0.0.0 255.0.0.0 10.30.0.0 255.255.0.0

access-list NO_NAT deny ip 10.0.0.0 255.0.0.0 host 10.253.96.48

access-list NO_NAT permit ip any 10.0.0.0 255.0.0.0

access-list NO_NAT permit ip any 172.16.254.0 255.255.255.0

access-list NO_NAT permit ip any 172.16.0.0 255.240.0.0

access-list NO_NAT permit ip any 192.168.201.0 255.255.255.0

access-list NO_NAT permit ip any 192.168.204.0 255.255.255.0

Is there a line needed?

if so, can I fix it by adding one line, or do I need to redo the entire list?

New Member

Re: VPN access-list, tranlation issue

looks like the source and destination are on the same side of one firewall interface !! PIX can not work like this, the outgoing packet must take a different interface! otherwise you will see the log "Deny inbound (No xlate) tcp src inside:10.11.150.1/1673 dst inside:10.79.15.3/5202 "

it's nothing about the configuration, the vpn design is wrong.

If later you change the design, please modify

'

access-list NO_NAT permit ip any 10.0.0.0 255.0.0.0 " that mean source IP begin with 10 take NO_NAT, this including your vpn source IP

New Member

Re: VPN access-list, tranlation issue

Thanks rico,

Suppose I did want to put an access-list addition in the NO_NAT access-list, is there any way to put in at the top of the list rather than the bottom?

If I just make an addition, it will go to the bottom of the list, I want to add it in a specific order, can I do that?

New Member

Re: VPN access-list, tranlation issue

Yes you can. After you do a show access-list, you will not the line number where you want to place the addition. For example- access-list 101 line 13 ....

Hope this helps.

New Member

Re: VPN access-list, tranlation issue

Can you show me how I would enter the line?

New Member

Re: VPN access-list, tranlation issue

One last question rico,

in the firewall NO-NAT access-list there is this line:

access-list NO_NAT permit ip any 10.0.0.0 255.0.0.0

wouldn't this match the 10.11.150 subnet and then would prevent the static nat from wotking as you stated above?

New Member

Re: VPN access-list, tranlation issue

10.0.0.0 /8 include 10.11.150.0/24, so every packet IP begin with 10.x will take this NO_NAT rule that why your static nat not work.

try

access-list NO_NAT deny ip host 10.11.150.1 10.79.8.0 255.255.248.0

before

access-list NO_NAT permit ip any 10.0.0.0 255.0.0.0

pix version 6.3 does not support insert ACL line number you need 7.2 up, you have to rewrite the whole ACL.

I think this time you can see your static NAT works, maybe trying initial the vpn tunnel...but still if the other vpn box locate at the same interface side as source it would n't work again. good luck

New Member

Re: VPN access-list, tranlation issue

Thanks for all the help rico,

One last question:

If I remoove the entore access-list and then rewrite it,

Will I cause the exiting VPN tunnels to go down?

New Member

Re: VPN access-list, tranlation issue

Thank you for the post.

266
Views
20
Helpful
18
Replies
CreatePlease to create content