Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
422
Views
0
Helpful
3
Replies

Question regarding Cisco VPN document

Go to solution
jeff6strings
Level 1
Level 1

‎03-06-2012 06:19 AM

In reading Cisco document 99122 (link below) regarding Site to Site (L2L) IPsec VPN with Policy NAT Configuration Example, I'm confused with the access list on PIX A "access-list new extended permit ip 172.18.1.0 255.255.255.0 10.1.0.0 255.255.255.0''. Would appreciate clarification of this access list as I see it translating traffic destined to 10.1.0.0 as coming from IP address (or network) 172.18.1.0. Just having a tough time grasping all the NAT types in conjunction with VPN.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

Thanks for any help.

Jeff

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rizwanr74
Level 7
Level 7

‎03-07-2012 04:46 AM

For the PIX-B Firewall it appears, as if the remote VPN-tunnel peer’s (i.e. PIX-A’s ) remote lan segment is “172.18.1.0 255.255.255.0” but in reality it is not the case, as you can see actual lan segment for PIX-A is “192.168.1.0/24” basically you fool the PIX-B to think that remote lan segment is  “172.18.1.0 255.255.255.0”.  That happens due to policy nat as shown below.

access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.255.0

static (inside,outside) 172.18.1.0  access-list policy-nat

This policy nat says, if users from "192.168.1.0 255.255.255.0" need access "10.1.0.0 255.255.255.0" which located behide the PIX-B, make users appears as if from “172.18.1.0 255.255.255.0”.  Policy nat does that.

This maybe a case where a duplicate lan segment already exists on PIX-B side as  “192.168.1.0 255.255.255.0”

Hope that answers your question.

Thanks

Rizwan Rafeek

View solution in original post

0 Helpful
3 Replies 3

Go to solution
rizwanr74
Level 7
Level 7

‎03-07-2012 04:46 AM

For the PIX-B Firewall it appears, as if the remote VPN-tunnel peer’s (i.e. PIX-A’s ) remote lan segment is “172.18.1.0 255.255.255.0” but in reality it is not the case, as you can see actual lan segment for PIX-A is “192.168.1.0/24” basically you fool the PIX-B to think that remote lan segment is  “172.18.1.0 255.255.255.0”.  That happens due to policy nat as shown below.

access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.255.0

static (inside,outside) 172.18.1.0  access-list policy-nat

This policy nat says, if users from "192.168.1.0 255.255.255.0" need access "10.1.0.0 255.255.255.0" which located behide the PIX-B, make users appears as if from “172.18.1.0 255.255.255.0”.  Policy nat does that.

This maybe a case where a duplicate lan segment already exists on PIX-B side as  “192.168.1.0 255.255.255.0”

Hope that answers your question.

Thanks

Rizwan Rafeek

0 Helpful

Go to solution
jeff6strings
Level 1
Level 1
In response to rizwanr74

‎03-08-2012 05:39 AM

Rizwan, thank you for the reply and it would be great if there was a book or tech document showing simple examples like the one you provided of all the different NAT types and relation to VPN as many of the Cisco docs can get too involved or blurry with the examples or lack of explanations.

Thanks again,

Jeff

0 Helpful

Go to solution
rizwanr74
Level 7
Level 7

‎03-07-2012 07:53 PM

Please rate helpful post.

thanks

0 Helpful
Customers Also Viewed These Support Documents