Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
385
Views
5
Helpful
1
Replies

PIX to Router VPN tunnel - NAT problem

gsebk
Level 1
Level 1

‎11-11-2002 12:57 AM - edited ‎02-21-2020 12:10 PM

Hi all!

I have configured a VPN connection between a PIX and a router. The IPSec works well. The scenario is the following:

http://www.olivetti.hu/csulok/ipsec%20pix2rtr.gif

The config of the PIX:

http://www.olivetti.hu/csulok/pix.txt

The good config of the router:

http://www.olivetti.hu/csulok/config.txt

The problem is that in the working configuration of the router the real inside interface is the IP NAT OUTSIDE and the real outside is the IP NAT INSIDE. If I change the router config like below, the connection fails when I ping from Host A the Host B's 10.111.130.55 IP address. The echo-replys can be seen on the router but no NAT is performed.

What can be the problem?

Config change:

interface FastEthernet0/0

ip address 195.228.140.213 255.255.255.248

ip nat outside

crypto map profis

!

interface FastEthernet0/1

ip address 10.111.130.68 255.255.255.0 secondary

ip address 11.111.130.68 255.255.255.0 secondary

ip address 192.168.202.249 255.255.255.0

ip nat inside

!

ip nat pool banknak 10.111.130.68 10.111.130.68 prefix-length 24

ip nat outside source list 150 pool banknak

The NAT debug on router (no NAT for echo-replys):

23:37:59: NAT*: s=192.168.201.2->10.111.130.69, d=10.111.130.55 [295]

23:38:01: NAT*: s=192.168.201.2->10.111.130.69, d=10.111.130.55 [296]

23:38:03: NAT*: s=192.168.201.2->10.111.130.69, d=10.111.130.55 [297]

23:38:05: NAT*: s=192.168.201.2->10.111.130.69, d=10.111.130.55 [298]

23:38:07: NAT*: s=192.168.201.2->10.111.130.69, d=10.111.130.55 [299]

Labels:
0 Helpful
1 Reply 1

steve.barlow
Level 7
Level 7

‎11-11-2002 05:59 AM

Try:

!

interface FastEthernet0/0

ip address 195.228.140.213 255.255.255.248

ip nat outside

crypto map profis

!

interface FastEthernet0/1

ip address 10.111.130.68 255.255.255.0 secondary

ip address 11.111.130.68 255.255.255.0 secondary

ip address 192.168.202.249 255.255.255.0

ip nat inside

!

ip nat inside source static 10.111.130.69 172.16.130.69

ip nat inside source list 150 pool banknak overload (if you want all of the 10.111.130.0 to 192.168.201.0 traffic NATed)

ip nat pool banknak 172.16.130.70 172.16.130.70 prefix-length 24

!

access-list 150 permit ip 10.111.130.0 0.0.0.255 192.168.201.0 0.0.0.255

!

And remember that NAT is performed before the crypto map statements/acls.

eg

crypto map profis 1 ipsec-isakmp

set peer 195.228.140.212

set transform-set transx

match address 120

access-list 120 permit ip host 172.16.130.69 192.168.201.0 0.0.0.255

Hope it helps.

Steve

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents