Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

PIX to Router VPN tunnel - NAT problem

Hi all!

I have configured a VPN connection between a PIX and a router. The IPSec works well. The scenario is the following:

http://www.olivetti.hu/csulok/ipsec%20pix2rtr.gif

The config of the PIX:

http://www.olivetti.hu/csulok/pix.txt

The good config of the router:

http://www.olivetti.hu/csulok/config.txt

The problem is that in the working configuration of the router the real inside interface is the IP NAT OUTSIDE and the real outside is the IP NAT INSIDE. If I change the router config like below, the connection fails when I ping from Host A the Host B's 10.111.130.55 IP address. The echo-replys can be seen on the router but no NAT is performed.

What can be the problem?

Config change:

interface FastEthernet0/0

ip address 195.228.140.213 255.255.255.248

ip nat outside

crypto map profis

!

interface FastEthernet0/1

ip address 10.111.130.68 255.255.255.0 secondary

ip address 11.111.130.68 255.255.255.0 secondary

ip address 192.168.202.249 255.255.255.0

ip nat inside

!

ip nat pool banknak 10.111.130.68 10.111.130.68 prefix-length 24

ip nat outside source list 150 pool banknak

The NAT debug on router (no NAT for echo-replys):

23:37:59: NAT*: s=192.168.201.2->10.111.130.69, d=10.111.130.55 [295]

23:38:01: NAT*: s=192.168.201.2->10.111.130.69, d=10.111.130.55 [296]

23:38:03: NAT*: s=192.168.201.2->10.111.130.69, d=10.111.130.55 [297]

23:38:05: NAT*: s=192.168.201.2->10.111.130.69, d=10.111.130.55 [298]

23:38:07: NAT*: s=192.168.201.2->10.111.130.69, d=10.111.130.55 [299]

1 REPLY

Re: PIX to Router VPN tunnel - NAT problem

Try:

!

interface FastEthernet0/0

ip address 195.228.140.213 255.255.255.248

ip nat outside

crypto map profis

!

interface FastEthernet0/1

ip address 10.111.130.68 255.255.255.0 secondary

ip address 11.111.130.68 255.255.255.0 secondary

ip address 192.168.202.249 255.255.255.0

ip nat inside

!

ip nat inside source static 10.111.130.69 172.16.130.69

ip nat inside source list 150 pool banknak overload (if you want all of the 10.111.130.0 to 192.168.201.0 traffic NATed)

ip nat pool banknak 172.16.130.70 172.16.130.70 prefix-length 24

!

access-list 150 permit ip 10.111.130.0 0.0.0.255 192.168.201.0 0.0.0.255

!

And remember that NAT is performed before the crypto map statements/acls.

eg

crypto map profis 1 ipsec-isakmp

set peer 195.228.140.212

set transform-set transx

match address 120

access-list 120 permit ip host 172.16.130.69 192.168.201.0 0.0.0.255

Hope it helps.

Steve

250
Views
5
Helpful
1
Replies
CreatePlease to create content