https://community.cisco.com/t5/network-security/pix515-vpn-with-specific-internal-ip-nat/m-p/959043#M938435 <HTML><HEAD></HEAD><BODY><P>Now looks like this:</P><P></P><P>access-list nonatinside line 1 permit ip host 192.168.0.45 host 10.1.5.12 (hitcnt=0) </P><P>access-list nonatinside line 2 permit ip host 192.168.0.43 host 10.112.249.58 (hitcnt=0) </P><P>access-list nonatinside line 3 permit ip host 192.168.0.43 host 10.118.1.10 (hitcnt=0) </P><P>access-list nonatinside line 4 permit ip host 192.168.0.43 host 10.118.1.13 (hitcnt=0) </P><P>access-list nonatinside line 5 deny ip host 192.168.0.41 host 10.3.1.133 (hitcnt=1)</P><P></P><P>This show the other three vpn connections I have.</P><P></P><P>It does now seem to be trying, in that the deny line has a hit count. But I have debugging on and nothing.</P><P></P><P>Thanks</P></BODY></HTML> Thu, 01 May 2008 13:32:59 GMT bertie_uk 2008-05-01T13:32:59Z https://community.cisco.com/t5/network-security/pix515-vpn-with-specific-internal-ip-nat/m-p/959035#M938427 <P>I have a PIX 515E with three VPN tunnels already set up and working fine. They are all configured with no nat (i.e nat (dmz) 0 access-list nonatinside)</P><P></P><P>I have a fourth VPN to set up, but they already use the same internal IP address (192.168.0.x) and request that my internal host appears as 192.168.20.1</P><P></P><P>How can I set this up without breaking my existing tunnels? I followed the overlapping configuration example, but not exactly what I'm trying to do.</P><P></P><P>access-list nonatinside permit ip host 192.168.0.41 host 10.3.1.133</P><P>access-list vpn4 permit ip host 192.168.0.41 host 10.3.1.133</P><P>sysopt connection permit-ipsec</P><P>crypto ipsec transform-set vpn4-set esp-3des esp-md5-hmac</P><P>crypto map vpnmap 40 ipsec-isakmp</P><P>crypto map vpnmap 40 match address vpn4</P><P>crypto map vpnmap 40 set peer x.x.x.x</P><P>crypto map vpnmap 40 set transform-set vpn4-set</P><P>crypto map vpnmap interface outside</P><P>isakmp enable outside</P><P>isakmp identity address</P><P>isakmp nat-traversal 20</P><P>isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode</P><P>isakmp policy 20 authentication pre-share</P><P>isakmp policy 20 encryption 3des</P><P>isakmp policy 20 hash md5</P><P>isakmp policy 20 group 2</P><P>isakmp policy 20 lifetime 86400</P><P></P><P>My host is 192.168.0.41 but as I say, I need it to appear at the other end as 192.168.20.1</P><P></P><P>Huge thanks in advance</P><P></P><P>Bertie</P> Mon, 11 Mar 2019 12:38:47 GMT https://community.cisco.com/t5/network-security/pix515-vpn-with-specific-internal-ip-nat/m-p/959035#M938427 bertie_uk 2019-03-11T12:38:47Z https://community.cisco.com/t5/network-security/pix515-vpn-with-specific-internal-ip-nat/m-p/959036#M938428 <HTML><HEAD></HEAD><BODY><P>Something like this should do the trick....</P><P></P><P>access-list vpn_nat permit ip host 192.168.0.41 192.168.0.0 255.255.255.0</P><P>access-list vpn5 permit ip host 192.168.20.1 192.168.0.0 255.255.255.0</P><P>static (inside,outside) 192.168.20.1 access-list vpn_nat</P><P>crypto map vpnmap 60 match address vpn5</P><P></P><P></P></BODY></HTML> Wed, 30 Apr 2008 15:05:59 GMT https://community.cisco.com/t5/network-security/pix515-vpn-with-specific-internal-ip-nat/m-p/959036#M938428 acomiskey 2008-04-30T15:05:59Z https://community.cisco.com/t5/network-security/pix515-vpn-with-specific-internal-ip-nat/m-p/959037#M938429 <HTML><HEAD></HEAD><BODY><P>acomiskey </P><P></P><P>Thanks for the reply, am still struggling...</P><P></P><P>I removed the lines:</P><P>access-list nonatinside permit ip host 192.168.0.41 host 10.3.1.133</P><P>access-list vpn4 permit ip host 192.168.0.41 host 10.3.1.133</P><P>crypto map vpnmap 40 ipsec-isakmp</P><P>crypto map vpnmap 40 match address vpn4</P><P>crypto map vpnmap 40 set peer x.x.x.x</P><P>crypto map vpnmap 40 set transform-set vpn4-set</P><P></P><P>And replaced with your suggestion, completing the crypto map section.</P><P></P><P>Just now the vpn tunnel doesn't seem to be starting when I access 10.3.1.133 from 192.168.0.41 server.</P><P></P><P>Thanks</P></BODY></HTML> Thu, 01 May 2008 08:54:58 GMT https://community.cisco.com/t5/network-security/pix515-vpn-with-specific-internal-ip-nat/m-p/959037#M938429 bertie_uk 2008-05-01T08:54:58Z https://community.cisco.com/t5/network-security/pix515-vpn-with-specific-internal-ip-nat/m-p/959038#M938430 <HTML><HEAD></HEAD><BODY><P>Sorry, thought the other end of the tunnel was 192.168.0.0. Try this...</P><P></P><P>access-list vpn_nat permit ip host 192.168.0.41 host 10.3.1.133 </P><P>access-list vpn4 permit ip host 192.168.20.1 host 10.3.1.133</P><P>static (inside,outside) 192.168.20.1 access-list vpn_nat </P><P>crypto map vpnmap 40 ipsec-isakmp </P><P>crypto map vpnmap 40 match address vpn4 </P><P>crypto map vpnmap 40 set peer x.x.x.x </P><P>crypto map vpnmap 40 set transform-set vpn4-set </P><P></P><P></P></BODY></HTML> Thu, 01 May 2008 12:07:17 GMT https://community.cisco.com/t5/network-security/pix515-vpn-with-specific-internal-ip-nat/m-p/959038#M938430 acomiskey 2008-05-01T12:07:17Z https://community.cisco.com/t5/network-security/pix515-vpn-with-specific-internal-ip-nat/m-p/959039#M938431 <HTML><HEAD></HEAD><BODY><P>thanks again</P><P></P><P>Made those changes but the tunnel is still not being kicked off.</P><P></P><P>Should say, my software version is PIX Version 6.3(4)</P><P></P><P>Thanks</P></BODY></HTML> Thu, 01 May 2008 12:33:42 GMT https://community.cisco.com/t5/network-security/pix515-vpn-with-specific-internal-ip-nat/m-p/959039#M938431 bertie_uk 2008-05-01T12:33:42Z https://community.cisco.com/t5/network-security/pix515-vpn-with-specific-internal-ip-nat/m-p/959040#M938432 <HTML><HEAD></HEAD><BODY><P>Could you verify with a show xlate that the inside host is translating to 192.168.20.1?</P></BODY></HTML> Thu, 01 May 2008 12:43:03 GMT https://community.cisco.com/t5/network-security/pix515-vpn-with-specific-internal-ip-nat/m-p/959040#M938432 acomiskey 2008-05-01T12:43:03Z https://community.cisco.com/t5/network-security/pix515-vpn-with-specific-internal-ip-nat/m-p/959041#M938433 <HTML><HEAD></HEAD><BODY><P>No, the only translation is to an external address.</P><P></P><P>The only difference is I'm using a dmz interfance, not inside. </P><P></P><P>Could these lines be conflicting?:</P><P>nat (dmz) 0 access-list nonatinside</P><P>nat (dmz) 1 192.168.0.0 255.255.255.0 0 0</P><P></P><P>But these are required for the other VPN connections and local access.</P><P></P><P>Thanks</P></BODY></HTML> Thu, 01 May 2008 13:02:57 GMT https://community.cisco.com/t5/network-security/pix515-vpn-with-specific-internal-ip-nat/m-p/959041#M938433 bertie_uk 2008-05-01T13:02:57Z https://community.cisco.com/t5/network-security/pix515-vpn-with-specific-internal-ip-nat/m-p/959042#M938434 <HTML><HEAD></HEAD><BODY><P>Ok, so what does your nonatinside acl look like? You should be able to do something like this...</P><P></P><P>access-list nonatinside deny ip host 192.168.0.41 host 10.3.1.133</P><P>access-list nonatinside permit ip .(whatever your existing acl is)</P><P></P><P>Then...</P><P></P><P>access-list vpn_nat permit ip host 192.168.0.41 host 10.3.1.133 </P><P>access-list vpn4 permit ip host 192.168.20.1 host 10.3.1.133 </P><P>static (dmz,outside) 192.168.20.1 access-list vpn_nat </P><P>crypto map vpnmap 40 ipsec-isakmp </P><P>crypto map vpnmap 40 match address vpn4 </P><P>crypto map vpnmap 40 set peer x.x.x.x </P><P>crypto map vpnmap 40 set transform-set vpn4-set </P></BODY></HTML> Thu, 01 May 2008 13:12:18 GMT https://community.cisco.com/t5/network-security/pix515-vpn-with-specific-internal-ip-nat/m-p/959042#M938434 acomiskey 2008-05-01T13:12:18Z https://community.cisco.com/t5/network-security/pix515-vpn-with-specific-internal-ip-nat/m-p/959043#M938435 <HTML><HEAD></HEAD><BODY><P>Now looks like this:</P><P></P><P>access-list nonatinside line 1 permit ip host 192.168.0.45 host 10.1.5.12 (hitcnt=0) </P><P>access-list nonatinside line 2 permit ip host 192.168.0.43 host 10.112.249.58 (hitcnt=0) </P><P>access-list nonatinside line 3 permit ip host 192.168.0.43 host 10.118.1.10 (hitcnt=0) </P><P>access-list nonatinside line 4 permit ip host 192.168.0.43 host 10.118.1.13 (hitcnt=0) </P><P>access-list nonatinside line 5 deny ip host 192.168.0.41 host 10.3.1.133 (hitcnt=1)</P><P></P><P>This show the other three vpn connections I have.</P><P></P><P>It does now seem to be trying, in that the deny line has a hit count. But I have debugging on and nothing.</P><P></P><P>Thanks</P></BODY></HTML> Thu, 01 May 2008 13:32:59 GMT https://community.cisco.com/t5/network-security/pix515-vpn-with-specific-internal-ip-nat/m-p/959043#M938435 bertie_uk 2008-05-01T13:32:59Z https://community.cisco.com/t5/network-security/pix515-vpn-with-specific-internal-ip-nat/m-p/959044#M938436 <HTML><HEAD></HEAD><BODY><P>Could you post a more complete config?</P></BODY></HTML> Thu, 01 May 2008 13:35:53 GMT https://community.cisco.com/t5/network-security/pix515-vpn-with-specific-internal-ip-nat/m-p/959044#M938436 acomiskey 2008-05-01T13:35:53Z https://community.cisco.com/t5/network-security/pix515-vpn-with-specific-internal-ip-nat/m-p/959045#M938437 <HTML><HEAD></HEAD><BODY><P>email me at <A href="mailto:richard@teamnetsol.com">richard@teamnetsol.com</A> and i'll reply with the full config</P><P></P><P>thanks for the assistance</P><P></P><P></P></BODY></HTML> Thu, 01 May 2008 13:39:26 GMT https://community.cisco.com/t5/network-security/pix515-vpn-with-specific-internal-ip-nat/m-p/959045#M938437 bertie_uk 2008-05-01T13:39:26Z https://community.cisco.com/t5/network-security/pix515-vpn-with-specific-internal-ip-nat/m-p/959046#M938438 <HTML><HEAD></HEAD><BODY><P>access-list vpn4_nat permit ip host 192.168.0.41 host 10.3.1.133</P><P>access-list policy_nat permit ip host 192.168.0.41 any</P><P>no static (dmz,outside) 85.x.x.x 192.168.0.41 netmask 255.255.255.255</P><P>static (dmz,outside) 192.168.20.1 access-list vpn4_nat</P><P>static (dmz,outside) 85.x.x.x access-list policy_nat</P><P>clear xlate</P><P></P><P>So what this does is create 2 policy nat statements. If 192.168.0.41</P><P>accesses 10.3.1.133 it will be translated to 192.168.20.1. If 192.168.0.41</P><P>goes anywhere else, it will be translated to 85.x.x.x. When you do a "show</P><P>xlate" you should see both translations.</P><P></P><P>I'm not sure if this is best practice or the only way to accomplish this,</P><P>but I think it will work.</P></BODY></HTML> Thu, 01 May 2008 14:58:37 GMT https://community.cisco.com/t5/network-security/pix515-vpn-with-specific-internal-ip-nat/m-p/959046#M938438 acomiskey 2008-05-01T14:58:37Z