IPSEC PIX to 2600 behind 2800

tahequivoice · ‎01-16-2007

I have a 2611 behind a 2801 that uses private addressing, and is not internet accesable. What I am trying to do, and it works but have an issue, is setup an IPSEC tunnel to the network behind the 2801 over a 1:1 NAT translation, but when I do so, it causes a problem with users connecting to VMAIL desktop which is on a private network. What I would like to do is terminate the VPN onto a Loopback interface and setup the 1:1 to the Loopback. The problem is, traffic will not pass over the loopback. If I take that address and set it as primary on the ethernet and the original IP as secondary, I can pass traffic, but I dont think this is a viable approach as all the voip traffic goes over this interface as well. IT's complicated, but doable. My main question is, can IPSEC from a PIX work on a loopback? If not is there another way to setup nat so the traffic from the 192 network doesnt use nat, but the !:! still works for IPSEC?

gfullage · ‎01-23-2007

Should work, the PIX has no idea that its peer's IP address is configured on a loopback int, a serial int, an ATM int, or any other int for that matter.

On the 2611 router you'd need the following:

crypto map local-address loopback0

and make sure the "crypto map" is still applied to the outgoing interface, NOT the loopback interface.

On the 2800 just create a 1:1 NAT to the loopback address of the 2611 mapping to some global address. On the PIX define the IPsec peer as that global address.

tahequivoice · ‎01-24-2007

Ahh Thats what I was missing!!

crypto map local-address loopback0

I didnt think it wouldnt work, I just couldnt get it to pass traffic in the lab. I have the PIX shipping out to Texas, so I cant try it out until it is installed. Thanks for your help.

tahequivoice · ‎02-20-2007

I got the tunnel up, but it appears to have one way routing. I also noticed I cannot ping the PIX from the router and viseversa even though ICMP is allowed. It makes it hard to verify it is working when no one is on site and I am doing this remotely from outside both devices. Are there any routes I need to add to either device so the traffic knows where to go?

kaachary · ‎02-21-2007

Hi,

You have to do an extended ping from the router or PIX to encrypt the traffic :

From Router :

ping source

Or from PIX:

man i

ping inside

HTH,

-Kanishka

tahequivoice · ‎02-21-2007

I was doing that, no luck. Even in the lab when I can ping PC to PC I wasnt able to ping the router/PIX interface. I had them try to connect to the end devices and no luck, so something is missing. The tunnel is up, I see encrypted packets when I do show cry ips sa, but no decrypted packets. It is as though it is only one way traffic.

I attached the crypto information, the 10.0.0.0 information was tested with and without it in there, same results.

The pix side is a 10.100.100.0 network the 2611 side is 192.168.1.0, and there are other subnets in the 192 range as well.

kaachary · ‎02-21-2007

Hi,

Can you also paste, the NAT configuration from the PIX.

It seems the PIX is not routing the packet back to the router.

-Kanishka

tahequivoice · ‎02-21-2007

I think I found the problem

isakmp nat-transversal 20

Since this is going through a nat device, I overlooked this one, or I should say completely forgot about it. I also found I needed to enable inside management-access on the pix in order to ping it remotely. It is working now, at least I can ping from the PIX to inside machines on the 2611, the 2611 can ping the PIX, but not the machine behind it, which may be the machine itself.

Thanks.

tahequivoice · ‎02-21-2007

Found the problem, This originally was not going to be used for internet traffic and had NAT disabled. I created a nonat acl, and enabled nat, so now it is working! Finally!

Thanks to all.

whodathunk it needed nat to work!