Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Cisco Employee

NAT 0 problem with VPN

We have the following problem:

PIX 520 5.3.3

Three interfaces

- outside 10.x.x.x

- dmz 172.16.x.x

- inside 172.17.x.x

VPN termination ( PPTP ) 192.168.100.x

An internal host 172.17.1.1 is published with a static to 10.1.1.1

External clients which connect via VPN ( PPTP ) should be able to connect to the internal host ( with internal IP ) only to a specific port.

We have configured a NAT 0 for inside and associated to it a access-list wich permit ip to the host .

then we created an access-list applied to the outside wich should permit only the port requested .

The problem is that it seems the outside access list is ignored and all traffic is permitted from VPN client to the internal host

Following part of config

nameif ethernet0 outside security0

nameif token-ring0 inside security100

nameif ethernet1 bondioli security99

.......

name 172.17.1.1 ASSAP

name 10.1.1.1 ASSAP-PUB

.......

access-list 101 permit ip host ASSAP 192.168.100.0 255.255.255.0

access-list from-inside permit ip host ASSAP any

access-list from-inside deny ip any any

access-list from-outside permit icmp any any echo-reply

access-list from-outside permit tcp any host ASSAP-PUB eq 3201

access-list from-outside permit tcp any host ASSAP-PUB eq 3203

access-list from-outside deny ip any any

.......

ip local pool VPN-IP-POOL 192.168.100.1-192.168.100.254

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) ASSAP-PUB ASSAP netmask 255.255.255.255 0 0

access-group from-outside in interface outside

access-group from-inside in interface inside

sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt route dnat

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe 40

vpdn group 1 client configuration address local VPN-IP-POOL

vpdn group 1 client authentication local

3 REPLIES
New Member

Re: NAT 0 problem with VPN

Hello

Your access-list from-outside couldn´t match your requirement, because the packet from the vpdn client to the internal server are adressed to the outside adress of the pix. The source adress is the official vpdn client ip address and the destination address is the outside ip address of the pix at the time the packet arrives on the outside interface of the pix. The pix decapsulate the packet and then foreward it out the internal interface.

Your solution is to permit only the wanted return traffic in the from-inside acl.

access-list from-inside permit tcp host ASSAP eq 3201 192.168.100.0 255.255.255.0

access-list from-inside permit tcp host ASSAP eq 3203 192.168.100.0 255.255.255.0

This should meet your requirements.

Michael

Cisco Employee

Re: NAT 0 problem with VPN

Michael ,

thanks for your replay , we'll try your suggestion immediately .

However the configuration we made was based on the example in the cisco documentation

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/config/commands.htm#xtocid78

In the command reference of vpdn command there's the example we started from

Cisco Employee

Re: NAT 0 problem with VPN

We tried your tip but got no luck

It seems that when enabling the Nat (inside) 0 access-list ... packets bypasses the acl on the outside interface

77
Views
0
Helpful
3
Replies
CreatePlease to create content