Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Pix IPsec policy NAT

Hello All,

I have the following scenario:

Pix version 6.3(3)

DMZ interface with a private network (192.168.250.0/24) with some server configured static NATs to be accessible from the outside.

Outside interface with public IPs

I have to establish a lan-to-lan tunnel with a customer so he can access our DMZ. Our problem, is that the customer has our same private network. I'm trying to solve this problem with policy NAT. However, I can reach the customer DMZ while the customer is unable to reach our DMZ. In the past I solved this problem with route-maps on Cisco routers. Is it possible to solve this scenario with a PIX without modifying our network? How?

Thanks in advance.

8 REPLIES
Hall of Fame Super Blue

Re: Pix IPsec policy NAT

Hi

When you say you can each his DMZ do you mean you can establish full connectivity ?

It's a little confusing. If your source addresses are in the same range as the customer network then you hsould not be able to get to them. Couple of questions

1) Are you establishing connectivity from your DMZ to the other DMZ.

2) If you are what are the source IP addresses.

If they are in the 192.168.250.x range then this shouldn't work even from your DMZ to theirs. If they are using their Natted public IP address when they connect then just point the customer to the public IP addresses assuming they want to get to the same servers.

Policy NAT won't really help here. If the source IP address is 192.168.250.10 for example and this packet goes to the customer device when the server at the other end tries to respond it believes that the 192.168.250.10 machines is on the local network.

Could you fill in a few of the details

Jon

Community Member

Re: Pix IPsec policy NAT

Yes, I can reach without any problem the customer DMZ doing policy NAT.

I change my DMZ network for a different private network doing policy NAT, for example to 192.168.20.x. However, the traffic initiated by the customer doesn't reach my DMZ because the policy NAT only works for outgoing traffic.

Community Member

Re: Pix IPsec policy NAT

Sorry, I realized that my explanation was not totally accurate. The DMZ customer is not the same network as my DMZ. However, the customer has my network on another interface. Something like this:

My PIX

Outside: Public network

DMZ: 192.168.250.1/24

Customer Device

Outside: Public network.

Inside: 192.168.250.1/24

DMZ: 192.168.0.1/24

We have to establish a tunnel Lan-to-Lan from their DMZ to our DMZ. Is it possible to do it modifying only my Pix?

Hall of Fame Super Blue

Re: Pix IPsec policy NAT

Hi David

You need to present your 192.168.250.x addresses that the customer wants to reach as different addresses to the customer or it will never work.

In answer to your question, yes you can do the NAT on just your end. You just need to make sure that whatever addresses you choose do not conflict with any at the customer site.

But unfortunately the customer will have to update their IPSEC settings. So for example say the customer wanted access to 192.168.250.10/11/12 at your end. Lets say you present these as 172.16.250.10/11/12 to the customer. They will still have to modofy their IPSEC settings that defines the interesting traffic, in cisco terms the crypto access-lists. And you would need to modify yours as well to reflect the new 172.16.250.x addresses.

If you are already natting the 192.168.250.x addresses then as long as they don't conflict with any customer addresses you can use these.

Does this make sense ?

Jon

Community Member

Re: Pix IPsec policy NAT

Yes, it makes sense. As I said I'm already doing it. I'm policy natting my network to reach the customer (the IPsec is properly configured) and I can reach the customer. However, when the customer initiates the traffic the NAT doesn't work and I don't know how to do it. My NAT configuration is something like:

access-list CUST1_NAT permit ip host 192.168.250.42 host 192.168.0.0 255.255.255.0

static (inside,outside) 172.20.250.42 access-list CUST1_NAT

With this configuration the NAT only occurs when I start the traffic (it has sense because of the ACL).

Thanks for your time and help.

Hall of Fame Super Blue

Re: Pix IPsec policy NAT

David

Yes it will only work when you initiate the traffic because that static is only created due to it matching the access-list.

If you want the customer to be able to initiate traffic you will have to setup a permanent static translation rather than the policy NAT you have setup.

Is there some reason you cannot do this ?

Jon

Community Member

Re: Pix IPsec policy NAT

I can not do static translations because I already have static translations so the servers can be accessed from the outside.

On cisco routers I solved this problem with NAT and route-maps but I'm a bit disappointed because I'm not being able to solve this scenario with a Pix firewall.

Thanks.

Community Member

Re: Pix IPsec policy NAT

I forgot it. I can not use the current static NATs for the tunnel because the customer assigned us a network for our side.

170
Views
0
Helpful
8
Replies
CreatePlease to create content