Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
266
Views
0
Helpful
1
Replies

PIX/PIX NAT L2L

andifur
Level 1
Level 1

‎10-03-2003 07:58 PM - edited ‎02-20-2020 11:01 PM

We are working on a project which will connect us to our clients for support. We purchased a 515e and have it fully configed to use for VPN. We PAT our address from 10.0.0.0 to 172.30.1.1 and it works fine. We have 5 betas connected to the PIX. They are all using a 3005 concentrator. Next week I have a PIX install so I took out 506e home with me to try and get it figured out. I am really stumpped. Here is the config off of the 515e for VPN:

access-list VPN_NAT permit ip 10.0.0.0 255.0.0.0 172.21.100.0 255.255.252.0

access-list Atlantic permit ip host 172.30.1.1 172.21.100.0 255.255.252.0

global (outside) 1 172.30.1.1

nat (inside) 1 access-list VPN_NAT 0 0

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map to_client 10 ipsec-isakmp

crypto map to_client 10 match address Atlantic

crypto map to_client 10 set peer xxx.xxx.xx.145

crypto map to_client 10 set transform-set ESP-AES-256-MD5 ESP-3DES-MD5

crypto map to_client interface outside

isakmp enable outside

isakmp key ******** address xxx.xxx.xx.145 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

Now heres where I ge stuck. trying to configure the remote side to accespt NAT from 172.30.1.1 and take their source address of 192.168.2.0/24 and translate it into 172.21.100.0/24 and then apply firewall rules to it as well. For example access to only 172.21.100.3 port 23.

Like I said it works great from 3005 to 3005 or from PIX to 3005, but getting it to go from PIX to PIX has me really scratching my head.

I tried the PDM wizard, I tried static (inside,outside) trnaslations, access-lists and even went as far as nat (inside) 1 192.168.2.0 255.255.255.0 Global (outside)1 172.21.100.1-172.21.100.254 255.255.255.0. With no luck.

Has any one ever done this? I am not looking for a full config, but just a push down the right path.

Thanks

Anthony

0 Helpful
1 Reply 1

andifur
Level 1
Level 1

‎10-04-2003 05:09 PM

I was able to bring the tunnel up, but I have 2 issues. One is I cant pass any traffic through the tunnel when its up, and the other is I cant access the Internet when the tunnel is up. Here is the remote PIX VPN config.

access-list atlantic permit ip 172.21.1.0 255.255.255.0 host 172.30.1.1

access-list VPN_NAT permit ip 192.168.2.0 255.255.255.0 host 172.30.1.1

global (outside) 1 172.21.1.0-172.21.1.254

global (outside) 2 interface

nat (inside) 1 access-list VPN_NAT 0 0

nat (inside) 2 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address atlantic

crypto map outside_map 20 set peer xxx.xxx.xx.103

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

isakmp key ******** address xxx.xxx.xx.103 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

After I get these issues fixed I still need to lock it down to port level.

Any help anyone??? Thanks in advance.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card