Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

pix vpn public dmz

Hi,

i d like to establish a vpn from a pix firewall 515 and pos version

7.0(5) with a public dmz and nat translation.

inside: 10.5.10.0/24

outside: 1.1.1.1/27 (public range)

dmz: 2.2.2.2/27 (public range)

remote inside network:192.168.20.0/24

So my encryption domain must be : 2.2.2.3/32 -- 192.168.20.0/24

ad i ve got a nat rule which is:

nat (inside,dmz) 2.2.2.3 10.5.10.28 netmask 255.255.255.255

so basically i want to translate the connections coming from 2.2.2.3 to

10.5.10.28

the vpn is setup correctly and established both sides but the nat rule

doesn t work with the vpn.

Built inbound TCP connection 4619 for outside:192.168.20.82/34237

(192.168.20.82/34237) to dmz:2.2.2.3/22 (2.2.2.3/22)

but i can t see any traffic on the server 10.5.10.28, i should see instead:

Built inbound TCP connection 4619 for outside:192.168.20.82/34237

(192.168.20.82/34237) to dmz:10.5.10.28/22(10.5.10.28/22)

any help would be great !

Regards,

durale

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: pix vpn public dmz

Hi Durale

Could you just clarify the line

nat (inside,dmz) 2.2.2.3 10.5.10.28 netmask 255.255.255.255

should it read

static (inside,dmz) 2.2.2.3 10.5.10.28 netmask 255.255.255.255

Also are you terminating the VPN on the outside interface of your firewall ie what is the peer IP address for your end.

Could you not try

static (inside,outside) 2.2.2.2 10.5.10.28 netmask 255.255.255.255

** Edit - i meant

static (inside,outside) 2.2.2.3 10.5.10.28 netmask 255.255.255.255 **

You don't actually need the traffic to go to the DMZ do you ?

Alternatively do you have any spare IP addresses available in the public subnet on your outside interface ?

HTH

Jon

20 REPLIES
Green

Re: pix vpn public dmz

Could you look through your post again. You have 10.5 as being inside above and then you have 10.5 being your dmz subnet.

"inside: 10.5.10.0/24"

"Built inbound TCP connection 4619 for outside:192.168.20.82/34237

(192.168.20.82/34237) to dmz:10.5.10.28/22(10.5.10.28/22)"

Community Member

Re: pix vpn public dmz

well,probably you didn t uderstand my issue !!

it should be something like:

Built inbound TCP connection 4619 for outside:192.168.20.82/34237

(192.168.20.82/34237) to dmz:194.42.124.40/22(10.5.10.28/22)"

The most important to understand is that there is no translation between 194.42.124.40 and 10.5.10.28 when i request a connection through the vpn (nat rule does n t work through the vpn)

hope it helps,

Regards,

durale

Green

Re: pix vpn public dmz

I understood fine.

Hall of Fame Super Blue

Re: pix vpn public dmz

Hi Durale

Could you just clarify the line

nat (inside,dmz) 2.2.2.3 10.5.10.28 netmask 255.255.255.255

should it read

static (inside,dmz) 2.2.2.3 10.5.10.28 netmask 255.255.255.255

Also are you terminating the VPN on the outside interface of your firewall ie what is the peer IP address for your end.

Could you not try

static (inside,outside) 2.2.2.2 10.5.10.28 netmask 255.255.255.255

** Edit - i meant

static (inside,outside) 2.2.2.3 10.5.10.28 netmask 255.255.255.255 **

You don't actually need the traffic to go to the DMZ do you ?

Alternatively do you have any spare IP addresses available in the public subnet on your outside interface ?

HTH

Jon

Community Member

Re: pix vpn public dmz

ok so sorry i meant static instead of nat

i need the traffic to be translated from 2.2.2.3 to 10.5.10.28 (inside)

i don t want to use a spare outside ip address because i want to use one from the dmz subnet.

does this command make sense because i want to use dmz and not outside? 2.2.2.3 is from dmz subnet and not outside

static (inside,outside) 2.2.2.3 10.5.10.28 netmask 255.255.255.255

durale

Community Member

Re: pix vpn public dmz

ok so sorry i meant static instead of nat

i need the traffic to be translated from 2.2.2.3 to 10.5.10.28 (inside)

i don t want to use a spare outside ip address because i want to use one from the dmz subnet.

does this command make sense because i want to use dmz and not outside? 2.2.2.3 is from dmz subnet and not outside

static (inside,outside) 2.2.2.3 10.5.10.28 netmask 255.255.255.255

durale

Community Member

Re: pix vpn public dmz

thank you very much, it works fine now i just replaced

static (inside,dmz) 2.2.2.3 10.5.10.28 netmask 255.255.255.255

with

static (inside,outside) 2.2.2.3 10.5.10.28 netmask 255.255.255.255

so now it works but it doesn t sound logical!!

why do i need to specify outside instead of dmz because 2.2.2.3 is from dmz interface and not outside. what s the logic ?

Regards,

Alexandre

Hall of Fame Super Blue

Re: pix vpn public dmz

Hi Alexandre

I believe you are terminating the VPN on the outside interface of your firewall.

Your 2.2.2.3 is just a logical address, ie it doesn't correspond to a physical server, so traffic does not actually need to go to the DMZ. It actually just needs to go from the outside to the inside.

So once the traffic is decrypted the pix then sees that traffic destined for 2.2.2.3 should be natted to 10.5.10.28. Only after it has been natted does the pix then route the packet.

Hope this makes sense.

Jon

Green

Re: pix vpn public dmz

Jon,

Would this work if you had nat exemption set up for the vpn? For example if he had...

access-list nat0 extended permit ip 10.5.0.0 255.255.0.0 192.168.20.0 255.255.255.0

nat (inside) 0 access-list nat0

thanks

Hall of Fame Super Blue

Re: pix vpn public dmz

Hi Adam

You are very knowledgeable on firewalls so if i have misunderstood the question please let me know.

Not really in this case no. The problem is that he is not trying to present the internal server on it's actual IP address.

If the other end of the VPN could route directly to 10.5.10.28 then yes it would be fine but they might have an IP address conflict at their end that requires the IP address to presented as a public IP.

There are some large companies i have dealt with that insist that they will only route to public IP addresses even down a VPN.

Jon

Green

Re: pix vpn public dmz

I must have gotten thrown off a bit here. It seemed to me like he was attempting to access the servers public ip over the vpn, my mistake.

What made me ask the question is I was attempting to get that working myself. For example I have a vpn tunnel to a remote pix. All traffic from the remote site goes over the tunnel to main site ASA. I have a static in my ASA at my main site for a webserver lets say.

static (dmz,outside) 1.1.1.1 192.168.1.1

Now, users at the remote site must access the server with 192.168.1.1, if they try 1.1.1.1 it doesn't work. I assumed it doesnt work becuase of the nat exemption from 192.x.x.x to remote site. Any ideas, please enlighten me about this..thanks.

So, as I was reading through this thread it seemed like this is what was going on, but I misunderstood.

The reason I would like them to use the public address is I would like them to use a CSS for their dns server which gives public addresses.

Hall of Fame Super Blue

Re: pix vpn public dmz

Adam

He is attempting to access the server on a public IP address down the VPN as far as i can tell.

It does work as we have used this many times where i work. I suspect you may be on the right lines about the nat exemption. Can i ask why you are doiing NAT exemption if you want them to access the server on it's public IP ?

You could always look at policy NAT just for the connection to that one public IP and then nat exempt everything else but without knowing the full details this might not be the right solution.

Jon

Green

Re: pix vpn public dmz

"Can i ask why you are doiing NAT exemption if you want them to access the server on it's public IP?"

Well I guess that's a good question isn't it, haha. I just got these CSS's so the remote networks were always using an inside dns server here supplying private addresses.

I will get rid of the exemption and give it a shot. I guess it boils down to this, they will be able to access by public or private and not by both at the same time right?

I was also thinking about doing dns doctoring but I was trying to figure out if you can make that work based upon the source address of the request.

I also thought about doing destination nat at the remote firewalls, but from a management standpoint that seems a little involved and more difficult to maintain.

thanks jon for the good conversation.

Green

Re: pix vpn public dmz

Yup, that did it, thanks again jon.

Community Member

Re: pix vpn public dmz

i got your point ! thank u again for this explanation.

Now an other question comes into my mind: if i want to use this logical ip address 2.2.2.3 accessible via dmz.

if from Internet i do a simple ping into 2.2.2.3 . it fails. the packet doesn t even come through the pix.

so do i need to specify:

global (dmz) 1 2.2.2.3 255.255.255.255

and then maybe something like that:

static (inside,dmz) 2.2.2.3 10.5.10.28 netmask 255.255.255.255

Alexandre

Hall of Fame Super Blue

Re: pix vpn public dmz

Hi Alexandre

Could you just clarify what you mean by accessible from the DMZ ?

If you mean without a VPN then the public IP address eg 2.2.2.3 must be routeable to your pix. If a ping is not even reaching the pix then either the address range is not being routed to your pix or something is blocking the ping further up.

Jon

Community Member

Re: pix vpn public dmz

yes jon i meant without vpn. i can reach 2.2.2.2 which is the physical dmz pix interface. So that mean my routing is ok. do i need any other nat rules or any other access-list? 2.2.2.3 is logical ip address and maybe that the reason i can t ping it without vpn becaue the logical is not routable ?

Alex

Hall of Fame Super Blue

Re: pix vpn public dmz

Hi Alex

No you should still be able to ping the IP address from the outside. The logical is still a routable address.

If you ping 2.2.2.3 on the internet the device pinging has no idea that 2.2.2.3 is not tied to a physical address but is used in NAT.

When you ping 2.2.2.3 you do still want the ping to go through to 10.5.10.28 right ?

Have you tried doing a traceroute to 2.2.2.3. This would show you if the packets are getting routed to the pix - the last hop should be the router in front of your pix.

If the routing to the 2.2.2.x subnet is working from the internet then there must be an issue with your config.

Perhaps you could post a copy of the config of your firewall minus any sensitive information.

HTH

Jon

Community Member

Re: pix vpn public dmz

yes i still want to nat 2.2.2.3 to 10.5.10.28

the thing is about routing first.

my default route is 1.1.1.1;

route outside 0.0.0.0 0.0.0.0 1.1.1.1

and 1.1.1.1 is routable throught internet and knows about routing 2.2.2.2/27

so let s take an example

i ping from internet with my public ip address 8.8.8.8 to 2.2.2.2 (dmz physical interface)

then i got the message from pix saying:

No route to 8.8.8.8 from 2.2.2.2

but then if i add the static route, it works and i can ping from 8.8.8.8 to 2.2.2.2:

route dmz 8.8.8.8/32 2.2.2.4/27 (2.2.2.4 is dmz route next router in this range like 1.1.1.1)

however even if this route is in place i still can t ping 2.2.2.3 (virtual one)

secondly why do i need to add this static route?

regards

alexandre

Hall of Fame Super Blue

Re: pix vpn public dmz

Alex

You've got me a bit confused now :-).

What is the default route on your pix.

Could you draw a topoloogy plus send some configs because i don't follow the route you added to the pix ie 8.8.8.8/23 2.2.2.4/24.

Is 2.2.2.4 the DMZ interface.

Jon

279
Views
5
Helpful
20
Replies
CreatePlease to create content