10-03-2003 07:58 PM - edited 02-20-2020 11:01 PM
We are working on a project which will connect us to our clients for support. We purchased a 515e and have it fully configed to use for VPN. We PAT our address from 10.0.0.0 to 172.30.1.1 and it works fine. We have 5 betas connected to the PIX. They are all using a 3005 concentrator. Next week I have a PIX install so I took out 506e home with me to try and get it figured out. I am really stumpped. Here is the config off of the 515e for VPN:
access-list VPN_NAT permit ip 10.0.0.0 255.0.0.0 172.21.100.0 255.255.252.0
access-list Atlantic permit ip host 172.30.1.1 172.21.100.0 255.255.252.0
global (outside) 1 172.30.1.1
nat (inside) 1 access-list VPN_NAT 0 0
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map to_client 10 ipsec-isakmp
crypto map to_client 10 match address Atlantic
crypto map to_client 10 set peer xxx.xxx.xx.145
crypto map to_client 10 set transform-set ESP-AES-256-MD5 ESP-3DES-MD5
crypto map to_client interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xx.145 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
Now heres where I ge stuck. trying to configure the remote side to accespt NAT from 172.30.1.1 and take their source address of 192.168.2.0/24 and translate it into 172.21.100.0/24 and then apply firewall rules to it as well. For example access to only 172.21.100.3 port 23.
Like I said it works great from 3005 to 3005 or from PIX to 3005, but getting it to go from PIX to PIX has me really scratching my head.
I tried the PDM wizard, I tried static (inside,outside) trnaslations, access-lists and even went as far as nat (inside) 1 192.168.2.0 255.255.255.0 Global (outside)1 172.21.100.1-172.21.100.254 255.255.255.0. With no luck.
Has any one ever done this? I am not looking for a full config, but just a push down the right path.
Thanks
Anthony
10-04-2003 05:09 PM
I was able to bring the tunnel up, but I have 2 issues. One is I cant pass any traffic through the tunnel when its up, and the other is I cant access the Internet when the tunnel is up. Here is the remote PIX VPN config.
access-list atlantic permit ip 172.21.1.0 255.255.255.0 host 172.30.1.1
access-list VPN_NAT permit ip 192.168.2.0 255.255.255.0 host 172.30.1.1
global (outside) 1 172.21.1.0-172.21.1.254
global (outside) 2 interface
nat (inside) 1 access-list VPN_NAT 0 0
nat (inside) 2 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address atlantic
crypto map outside_map 20 set peer xxx.xxx.xx.103
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp key ******** address xxx.xxx.xx.103 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
After I get these issues fixed I still need to lock it down to port level.
Any help anyone??? Thanks in advance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide