Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

pix dmz static nat and VPN

Hi,

I ve configuration with my pix with a static nat rule which is working fine. However this rule doesn t work trought the vpn tunnel.

Here is my config

access-list DEVPN extended permit ip host 1.1.1.32 255.255.255.224 10.5.45.0 255.255.255.0 (domain vpn encryption)

access-list indmz extended permit icmp any host 1.1.1.40

access-list indmz extended permit icmp 1.1.1.32 255.255.255.224 any

global (dmz) 2 1.1.1.40

static (inside,dmz) 1.1.1.40 2.2.2.2 netmask 255.255.255.255

access-group indmz in interface dmz

i can t ping 1.1.1.40 from 10.5.45.0/24 (through the vpn) but i can talk without the vpn

%PIX-6-302020: Built ICMP connection for faddr x.x.x.x/62801 gaddr 1.1.1.40/0 laddr 2.2.2.2/0 (without vpn)

Teardown ICMP connection for faddr 10.5.45.134/60795 gaddr 1.1.1.40/0 laddr 1.1.1.40/0 (through VPN)

so why in the second line there is no translation from 1.1.1.40 to 2.2.2.2?

Regards,

4 REPLIES
Bronze

Re: pix dmz static nat and VPN

Please post the vpn config and the associated ACL.

New Member

Re: pix dmz static nat and VPN

vpn acl is already included in the previous post namely DEVPN.

here is the vpn config:

crypto map VPNList 30 match address DEVPN

crypto map VPNList 30 set pfs

crypto map VPNList 30 set peer

crypto map VPNList 30 set transform-set ESP-3DES-SHA

The VPN works fine ... my problem is about the static nat which is not working.

Regards,

Bronze

Re: pix dmz static nat and VPN

HI.

The only reason why you are not able to ping is because when you are not using VPN, the access list named indmz is being used. Here you have specifically permitted any connection to 1.1.1.40 and replies from 1.1.1.34 to any network.

Now when you have VPN, the ACL named DEVPN is being called. Here you have permitted only traffic from 1.1.1.32 network to the 10.5.45.0. Since ICMP is not stateful, you will have to permit both the request and the replies. I am sure if you add the following line to DEVPN, you should be good to go

access-list DEVPN extended permit icmp 10.5.45.0 255.255.255.0 any

and remove the host keywork from your existing DEVPN ACL. It should be like this

access-list DEVPN extended permit ip 1.1.1.32 255.255.255.224 10.5.45.0 255.255.255.0

--Pls do not forget to rate if useful--

New Member

Re: pix dmz static nat and VPN

ok so we can forget icmp. let's take ssh instead from the remote network, the acl access-list DEVPN extended permit ip 1.1.1.32 255.255.255.224 10.5.45.0 255.255.255.0 should be enought.

Built local-host outside:10.5.45.134

%PIX-7-609001: Built local-host dmz:1.1.1.40

%PIX-6-302013: Built inbound TCP connection 30 for outside:10.5.45.134/36710 (10.5.45.134/36710) to dmz:1.1.1.40/22 (1.1.1.40/22). There are still no translation.

123
Views
0
Helpful
4
Replies
CreatePlease login to create content