cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
618
Views
0
Helpful
15
Replies

NAT through tunnel only allows one way traffic

aovp77
Level 1
Level 1

I have a requirement to connect my company with a third party via a vpn.

The third party will only accept packets from a pool of predefined addresses.

I have setup a test environment with a PIX and a 2621 router.

The PIX NAT's packets from the inside to a pool of addresses.

From inside the PIX I am able to access the remote network, and the VPN tunnel is up.

From the remote network I am unable to access the network behing the PIX.

If I use a NAT 0 command based on an access-list i successfully get bi-directional traffic. However packets from inside the PIX are no longer translated.

Any help would be much appreaciated.

Cheers, Jimbob.

15 Replies 15

aacole
Level 5
Level 5

Sessions started at the PIX end of the VPN will allow the corresponding replies though the stateful filter in the firewall where as sessions started from the remote end get blocked unless they are permitted via the static command and an ACL entry.

Normally a VPN would get around this, you wouldnt need these entries to permit your traffic, but in you case you want to NAT these packets as well before they enter the VPN.

In you test bed can you verify that the NAT'ed packets actually go via the VPN tunnel, are they getting encrypted?

The NAT 0 command will stop NAT, as you would normally not apply NAT to packets your sending over the VPN

Thanks for the reply.

When testing I had two laptops, 1 on the pix side and one on the router side to test connectivity.

Using TCPViewer I can see that packet going though the PIX to the laptop on the router side are NAT'd showing the correct addresses.

If I do a "show crypto isakmp sa" it tells me a tunnel is established.

and if i do a "show crypto ipsec sa" I can see packets getting encrypted and decrypted.

In all the VPN's I have set up I've always used NAT 0 so that traffic from the inside network flows without translation. Also the crypto ACL specifies the inside networks, and yes it works, which is pretty much what you have found so far. No problem making inbound or outbound connections.

Rather than using a NAT pool have you tried using a static to map an inside address to an outside address and using the outside address as the source in the crypto ACL

However you will probably require an entry in the outside ACl to permit access to the outside address defined in the static. This way you may be able to specify some address suitable for the 3rd party to use.

My thought is that the return packets are getting dropped by the ACL, look at the log entries, that should confirm or deny this. Do you get any other related log entries?

jackko
Level 7
Level 7

you can't access the network behind the pix from the remote network. can you ping it? it couldn't be a route missing on the remote router.

It is not a routing issue.

But I will experiment with the STATIC idea.

Will post results.

Here are some debug messages from the PIX:

Tubs(config)# 710005: UDP request discarded from 172.17.20.51/137 to inside:172.17.255.255/netbios-ns

710005: UDP request discarded from 172.17.20.51/137 to inside:172.17.255.255/netbios-ns

710005: UDP request discarded from 172.17.20.51/137 to inside:172.17.255.255/netbios-ns

Tubs(config)# 305005: No translation group found for tcp src outside:192.168.100.100/1093 dst inside:172.

17.20.51/445

305005: No translation group found for tcp src outside:192.168.100.100/1094 dst inside:172.17.20.51/139

305005: No translation group found for tcp src outside:192.168.100.100/1094 dst inside:172.17.20.51/139

305005: No translation group found for tcp src outside:192.168.100.100/1093 dst inside:172.17.20.51/445

305005: No translation group found for tcp src outside:192.168.100.100/1094 dst inside:172.17.20.51/139

305005: No translation group found for tcp src outside:192.168.100.100/1093 dst inside:172.17.20.51/445

I have tried fiddling with STATIC's but no luck. I also thought it might be possible to do something with bi-directional NAT but was unsucessful.

I guess I could always put a router before the PIX and translate on that.

Then have the standard NAT 0 for the VPN tunnel.

Rather not though!

it would be better if you can post the conf of both pix and router.

plz find attached the configs

on pix: the nonat access list should be

access-l xxx permit 172.17.0.0 255.255.0.0 192.168.100.0 255.255.255.0

then you need to apply it to nat0

nat (outside) 0 access-l xxx

Thanks Jackko.

I tried your suggestion, unfortunately it has not worked. :-(

I have attached the updated configs just incase i entered the commands incorrectly.

Cheers.

jackko
Level 7
Level 7

i've taken a step back and think about your scenario.

you mentioned that hosts behind the pix are able to access hosts behind the router in the very first post, but NOT vice versa. in other words, hosts behind the router are not able to initiate any traffic to hosts behind the pix. the reason is ip translation on pix.

the issue is that you tried to nat hosts behind firewall into three pools, and the pix will do the natting randomly. that is, host 172.17.20.11 will be natted into different ip everytime passing through the pix. thus hosts behind the router would not be able to start communicating any hosts behind the pix. so i believe all you have to do is to configure static nat. (ie. each host will need a static statement)

i would suggest that you change the lan behind the pix into 172.17.3.0 network. in case some of the addresses can't be used, you may configure the pix acts as dhcp server and stop leasing those particular ip.

Hi Jackko,

Taking a further step back. The network 172.17.0.0/16 cannot be changed due to other infrastructure in place. There will be an additional 123 DHCP hosts added to the network that require access to normal services AND through the VPN.

If I were to create a STATIC for all these hosts they would all need fixed IP addresses. Which I wanted to avoid.

And if I gave them fixed IP addresses I could probably get away with NAT0.

I'm now thinking that NAT through a Tunnel is not supported, and I can fully understand why due to the statefull nature of the PIX.

I am now trying an alternative idea of putting a router before the PIX. The router will NAT and PIX will perform NAT0.

I will post results when completed.

Thanks for you help on this.

it sounds brilliant. good luck.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: