09-15-2005 12:13 AM - edited 02-21-2020 12:23 AM
I am trying to use a static adress translation for the local net 192.168.117.0 to net 172.18.18.0, but i only want to use this translation when the destination are net 192.0.0.0 (this is a net beyond a vpn connection). i can use this configuration below, but then the global pat doesn´t work so the users on the local net cannot connect to Internet.
access-list 101 permit ip 172.18.18.0 255.255.255.0 192.0.0.0 255.255.255.0
static (inside,outside) 172.18.18.0 192.168.117.0 netmask 255.255.255.0
I would be very grateful for an answer. /Jonny
09-15-2005 12:39 AM
Hi Jonny,
Pls try this.
access-list test permit ip 192.168.117.0 255.255.255.0 192.0.0.0 255.0.0.0
static (inside,outside) 172.18.18.0 access-list test
HTH
Regards,
Shijo George.
09-15-2005 01:32 AM
unfortunately that diden´t work. Maybe it´s because the adress 172.18.18.0 in the command (static (inside,outside) 172.18.18.0 access-list test) is the global adress and not the local ???.
09-15-2005 02:04 AM
Hi,
It's the global address itself that has to be mentioned there.
Did you clear the xlate after configuring this?
Regards,
Shijo George.
09-15-2005 05:51 AM
I can see the translation in log viewer (Built static translaton from inside: 192.168.117.100 to outside(test): 172.18.18.100) but the packet are not going in to the vpn tunnel any more, to destination 192.0.0.0. Here is the configuration Pix 501.
access-list inside_access_in permit ip any any
access-list outside_access_in permit icmp any any echo-reply
access-list test permit ip 192.168.117.0 255.255.255.0 192.0.0.0 255.255.255.0
global (outside) 15 interface
nat (inside) 15 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 172.18.18.0 access-list test 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address test
crypto map outside_map 20 set peer 192.168.223.2
crypto map outside_map 20 set transform-set ESP-DES-MD5
isakmp key ******** address 192.168.223.2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
Regards
/Jonny
09-15-2005 07:52 PM
Hi Jonny,
Please keep the crypto access-list same as the one you were having earlier. You have to mention the NATTed IP segment in the crypto access-list
eg:
access-list crypto-acl permit ip 172.18.18.0 255.255.255.0 192.0.0.0 255.255.255.0
crypto map outside_map 20 match address crypto-acl
HTH
Regards,
Shijo George.
09-19-2005 11:24 PM
Thanks Shijo!
It is working now.
/Jonny
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide