Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 501 NAT translation for VPN traffic problem

I need to:

make ACL from 172.24.159.108 to host 192.168.50.83 and 192.168.50.86

NAT interesting traffic to 172.24.159.0 255.255.255.0

Phase 1

Authentication: Pre-Shared

Encryption: 3DES

Hash: SHA

DH: 1

Lifetime: 86400 sec

Pre-shared Key: ************

Phase2

ESP encryption 3DES

ESP authentication

Lifetime 28800

I have been struggling with this for 2 weeks. Any ideas what I am doing wrong?

Config is attached.

Thanks in advance!!!!

Ryan

13 REPLIES
Green

Re: PIX 501 NAT translation for VPN traffic problem

Config looks ok. You are policy nating 192.168.0.108 to 172.24.159.x when going to 192.168.50.83 and 86. You have then defined the natted address in your interesting traffic acl. You should be able to remove this command.

no static (inside,outside) 172.24.159.0 access-list conditional_nat 0 0

clear xlate

New Member

Re: PIX 501 NAT translation for VPN traffic problem

ok made the change and here is new config, still no traffic after clear xlate.

sh cry isakmp sa doesn't show that the tunnel is even connecting, could my problem lie with something other than the ACL and NAT config?

New Member

Re: PIX 501 NAT translation for VPN traffic problem

new config

Silver

Re: PIX 501 NAT translation for VPN traffic problem

nat (inside) 3 access-list conditional_nat 0 0

global (outside) 3 172.24.159.1-172.24.159.254 netmask 255.255.255.0

Is this policy nat translation actually working ? Do you see translations when you do show xlate ?

New Member

Re: PIX 501 NAT translation for VPN traffic problem

actually it doesn't look like it is, should I go back to my static translations? I had that in place at one time but since changed to dynamic to get this to work.

any ideas?

Silver

Re: PIX 501 NAT translation for VPN traffic problem

ok so problem is that Policy nat is not working. You can try static policy nat also.

Check and post results .

HTH

Saju

Silver

Re: PIX 501 NAT translation for VPN traffic problem

ok so problem is that Policy nat is not working. You can try static policy nat also.

Check and post results .

HTH

Saju

New Member

Re: PIX 501 NAT translation for VPN traffic problem

ok, im back to static NAT. Here is the results of sh xlate

PAT Global 166.XXX.XXX.XXX(13815) Local 192.168.0.108(2101)

PAT Global 166.XXX.XXX.XXX(7666) Local 192.168.0.112(2720)

PAT Global 166.XXX.XXX.XXX(13816) Local 192.168.0.82(2720)

PAT Global 166.XXX.XXX.XXX(13817) Local 192.168.0.112(3642)

PAT Global 166.XXX.XXX.XXX(13818) Local 192.168.0.11(1494)

PAT Global 166.XXX.XXX.XXX(14785) Local 192.168.0.112(1199)

PAT Global 166.XXX.XXX.XXX(2) Local 192.168.0.112 ICMP id 512

PAT Global 166.XXX.XXX.XXX(14876) Local 192.168.0.112(1251)

PAT Global 166.XXX.XXX.XXX(14724) Local 192.168.0.108(2735)

PAT Global 166.XXX.XXX.XXX(7553) Local 192.168.0.108(15346)

PAT Global 166.XXX.XXX.XXX(14732) Local 192.168.0.108(2744)

Global 172.24.159.0 Local 192.168.0.108

Here is the Debug output as well.

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 2 against priority 40 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 2 against priority 60 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:66.XXX.XXX.XXX, dest:166.XXX.XXX.XXX spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:66.XXX.XXX.XXX, dest:166.XXX.XXX.XXX spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): processing keep alive: proposal=32767/32767 sec., actual=10/30 sec.

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of 368405633:15f56c81

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

VPN Peer: ISAKMP: Added new peer: ip:66.XXX.XXX.XXX/500 Total VPN Peers:2

VPN Peer: ISAKMP: Peer ip:66.XXX.XXX.XXX/500 Ref cnt incremented to:1 Total VPN P

eers:2

crypto_isakmp_process_block:src:66.XXX.XXX.XXX, dest:166.XXX.XXX.XXX spt:500 dpt:500

ISAKMP (0): processing NOTIFY payload 14 protocol 3

spi 0, message ID = 719581143

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block:src:66.XXX.XXX.XXX, dest:166.XXX.XXX.XXX spt:500 dpt:500

ISAKMP (0): processing DELETE payload. message ID = 2042020179, spi size = 16

ISAKMP (0): deleting SA: src 166.XXX.XXX.XXX, dst 66.XXX.XXX.XXX

return status is IKMP_NO_ERR_NO_TRANS

ISADB: reaper checking SA 0xcb9ca4, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:66.XXX.XXX.XXX/500 Ref cnt decremented to:0 Total VPN P

eers:2

VPN Peer: ISAKMP: Deleted peer: ip:66.XXX.XXX.XXX/500 Total VPN peers:1

ISADB: reaper checking SA 0xb8f26c, conn_id = 0

Thanks in advance!

Silver

Re: PIX 501 NAT translation for VPN traffic problem

Can you post remote end's vpn config also? The SA actually builds up and then gets deleted.

Check Transform set, crypto acl (mirror image of other side) etc.

HTH

Saju

Pls rate if it helps

Silver

Re: PIX 501 NAT translation for VPN traffic problem

You can try doing policy nat to single ip :

nat (inside) 3 access-list conditional_nat 0 0

global (outside) 3 172.24.159.1 netmask 255.255.255.255

or

static (inside,outside) 172.24.159.1 access-list conditional_nat 0 0

New Member

Re: PIX 501 NAT translation for VPN traffic problem

Added "static (inside,outside) 172.24.159.108 access-list conditional_nat 0 0"

and removed

"static (inside,outside) 172.24.159.0 access-list conditional_nat 0 0"

ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block:src:66.XXX.XXX.XXX, dest:166.XXX.XXX.XXX spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 2 against priority 40 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 2 against priority 60 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:66.XXX.XXX.XXX, dest:166.XXX.XXX.XXX spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:66.XXX.XXX.XXX, dest:166.XXX.XXX.XXX spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of 176378872:a8353f8IPSEC(key_en

gine): got a queue event...

IPSEC(spi_response): getting spi 0x942c64b8(2485937336) for SA

from 66.XXX.XXX.XXX to 166.XXX.XXX.XXX for prot 3

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

VPN Peer: ISAKMP: Added new peer: ip:66.XXX.XXX.XXX/500 Total VPN Peers:2

VPN Peer: ISAKMP: Peer ip:66.XXX.XXX.XXX/500 Ref cnt incremented to:1 Total VPN P

eers:2

crypto_isakmp_process_block:src:66.XXX.XXX.XXX, dest:166.XXX.XXX.XXX spt:500 dpt:500

ISAKMP (0): processing NOTIFY payload 14 protocol 3

spi 0, message ID = 2816305469

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block:src:66.XXX.XXX.XXX, dest:166.XXX.XXX.XXX spt:500 dpt:500

ISAKMP (0): processing DELETE payload. message ID = 3032362312, spi size = 16

ISAKMP (0): deleting SA: src 166.XXX.XXX.XXX, dst 66.XXX.XXX.XXX

return status is IKMP_NO_ERR_NO_TRANS

ISADB: reaper checking SA 0xba108c, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:66.XXX.XXX.XXX/500 Ref cnt decremented to:0 Total VPN P

eers:2

VPN Peer: ISAKMP: Deleted peer: ip:66.XXX.XXX.XXX/500 Total VPN peers:1IPSEC(key_

engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with 66.XXX.XXX.XXX

ISADB: reaper checking SA 0xb8f26c, conn_id = 0

sh xlate shows "Global 172.24.159.108 Local 192.168.0.108" now as well.. any ideas?

Thanks again

Silver

Re: PIX 501 NAT translation for VPN traffic problem

Cool!

Can you post remote end's vpn config also? The SA actually builds up and then gets deleted.

Check Transform set, crypto acl (mirror image of other side) etc.

HTH

Saju

Pls rate if it helps

New Member

Re: PIX 501 NAT translation for VPN traffic problem

I don't have access to the other end, only thing I have is these instructions.

remote endpoint is: 66.179.80.108

remote network is: 192.168.50.0 (255.255.255.0)

Clinic will need to make ACL from 172.24.159.108 to host 192.168.50.83 and 192.168.50.86

Clinic will need to NAT interesting traffic to 172.24.159.0 255.255.255.0

Phase 1

Authentication: Pre-Shared

Encryption: 3DES

Hash: SHA

DH: 1

Lifetime: 86400 sec

Pre-shared Key: *****************

Phase2

ESP encryption 3DES

ESP authentication

Lifetime 28800

230
Views
4
Helpful
13
Replies
CreatePlease to create content