cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
840
Views
0
Helpful
3
Replies

Pix l2l vpn with port forward

uwantknow
Level 1
Level 1

I would like to form a vpn between cisco pix 515 and watchguard 1250e.

For some of the reason, I would like to route port 80, 443 services via watchguard to access the internet.

I have success to make a zero route to route all traffic via watchguard to access the internet. But I get a problem when I modify the access list to cover only the port 80 and 443.

for the detail configuration:

pix 515:

External IP: 10.2.3.240

Internal IP: 192.168.0.254

VPN access-list:

access-list no-nat extended permit ip 192.168.0.0 255.255.255.0 172.18.0.0 255.255.255.0

access-list no-nat extended permit tcp 192.168.0.0 255.255.255.0 any eq 80

access-list no-nat extended permit tcp 192.168.0.0 255.255.255.0 any eq 443

access-list outside_20_crypto permit ip 192.168.0.0 255.255.255.0 172.18.0.0 255.255.255.0

access-list outside_20_crypto extended permit tcp 192.168.0.0 255.255.255.0 any eq 80

access-list outside_20_crypto extended permit tcp 192.168.0.0 255.255.255.0 any eq 443

nat (inside) 0 access-list no-nat

Watchguard 1250e

External IP: 10.2.3.239

Internal IP: 172.18.0.254

NAT:

local: 0.0.0.0/0

Remote: 192.168.0.0/24

For the log, it is found that the connection from inside (Pix) to outside (Internet) is not doing the NAT.

I would like to ask whether anyone have the same problem or not, thanks!

3 Replies 3

husycisco
Level 7
Level 7

Hello Kin Wo,

First of all, I want you to know that specifying port statements in network statement ACLs like NAT ACLs slightly degrades performance of Cisco Firewalls since they are not routers primarily. I assume you got that warning already in CLI when you issued the port statements.

Second, before a default route (with a lower metric than default route), you should issue a route for the peer IP of remote site to your ISP, then with a higher metric, you can specify a default route to remote site.

Third, Watchguard side should add the 192.168.0.0 network to "their" NAT statement for internet connectivity.

Regards

hi husycisco,

Thanks for your reply, I would like to make it more clearly for this lab. Actually, it is a test lab for simulate the real network before I roll out.

Firstly, For the test lab, the pix and watchguard firewall are connect in the same network, but the real network will be in difference (At least, there will be a few router between two sites).

Secondly, I had tried to form a vpn with a zero route (which means route all traffic) and it success. All the traffic from pix side will redirect to remote site (watchguard) thought the vpn tunnel instead of directly access internet.

Finally, I had found that when I using above configuration, the traffic (other than 80, 443) was failed thought pix outside interface to access (such as port 22, 8080, etc).

From the pix log, it seems that the packet which from inside to outside have not translate(NAT) to pix external interface ip before send out.

Thanks!

Kinwo

"All the traffic from pix side will redirect to remote site (watchguard) thought the vpn tunnel instead of directly access internet."

and

"the traffic (other than 80, 443) was failed thought pix outside interface to access (such as port 22, 8080, etc). "

You pointed the PIX to route all traffic to remote site, so you can not expect traffic other than 80 and 443 be forwarded to pix outside interface ISP. What you want in this case is possible with PBR (Policy Based Routing) which ASA does not support.

Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: