cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1336
Views
0
Helpful
5
Replies

Cisco PIX 515E Access List, NAT, and VPN Issue

eric_hanke
Level 1
Level 1

I recently inherited management of a Cisco PIX 515E Firewall running IOS version 6.1(4). The PIX has very broad ACL's for NAT.

They include:

access-list ipsec permit ip 10.2.1.0 255.255.255.0 10.10.100.0 255.255.254.0

access-list nonat permit ip 10.2.1.0 255.255.255.0 10.10.100.0 255.255.254.0

access-list nonat permit ip 10.2.1.0 255.255.255.0 10.10.102.0 255.255.254.0

access-list nonat permit ip 10.2.4.0 255.255.255.0 10.10.102.0 255.255.254.0

access-list bcvpn permit ip 10.2.1.0 255.255.255.0 10.10.102.0 255.255.254.0

access-list bcvpn permit ip 10.2.4.0 255.255.255.0 10.10.102.0 255.255.254.0

nat (inside) 0 access-list nonat

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

The PIX already has two IPSEC VPN's created. One “matches” access-list ipsec, the other access-list bcvpn.

The problem I am running into is that I need to create an additional VPN with another site that uses a 10.1.0.0 /16 network. When I add my access-list for NAT and “match” I lose all connectivity to the PIX, even from the outside using SSH.

The access-list entries I am adding are:

access-list TPIMilford permit ip 10.2.1.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list TPIGAP permit ip 10.2.1.0 255.255.255.0 192.168.95.0 255.255.255.0

access-list TPIGAP permit ip 10.2.1.0 255.255.255.0 192.168.96.0 255.255.255.0

access-list TPIGAP permit ip 10.2.1.0 255.255.255.0 192.168.97.0 255.255.255.0

access-list nonat permit ip 10.2.1.0 255.255.255.0 192.168.95.0 255.255.255.0

access-list nonat permit ip 10.2.1.0 255.255.255.0 192.168.96.0 255.255.255.0

access-list nonat permit ip 10.2.1.0 255.255.255.0 192.168.97.0 255.255.255.0

access-list nonat permit ip 10.2.1.0 255.255.255.0 10.1.0.0 255.255.0.0

Do I need to modify “NAT (inside) 1 10.0.0.0 255.0.0.0?

Thanks in advance,

Eric Hanke

5 Replies 5

ariesc_33
Level 1
Level 1

hi, yes i think you answered your own question.if you look at the NAT statement, the FW will check first on ip network that are not going to be natted (nonat) and another thing, the last acl above will confuse your routing.are the following segment not in used on your internal network?

10.1.0.0/16

10.2.0.0/16

10.3.0.0/16

if yes, you can modify your nat to

nat (inside) 1 10.4.0.0 255.252.0.0 0 0

Thank you for the reply.

In order to avoid losing access to the PIX, it's approximately 300 miles away, I need to confirm the order of commands:

The 10.2.0.0/24 network is inside the PIX:

ip address inside 10.2.1.1 255.255.255.0

Here are the steps as I see them:

Delete the vague NAT entry

no nat (inside) 1 10.0.0.0 255.0.0.0

nat (inside) 1 10.2.0.0 255.255.255.0

then complete with:

access-list TPIMilford permit ip 10.2.1.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list TPIGAP permit ip 10.2.1.0 255.255.255.0 192.168.95.0 255.255.255.0

access-list TPIGAP permit ip 10.2.1.0 255.255.255.0 192.168.96.0 255.255.255.0

access-list TPIGAP permit ip 10.2.1.0 255.255.255.0 192.168.97.0 255.255.255.0

access-list nonat permit ip 10.2.1.0 255.255.255.0 192.168.95.0 255.255.255.0

access-list nonat permit ip 10.2.1.0 255.255.255.0 192.168.96.0 255.255.255.0

access-list nonat permit ip 10.2.1.0 255.255.255.0 192.168.97.0 255.255.255.0

access-list nonat permit ip 10.2.1.0 255.255.255.0 10.1.0.0 255.255.0.0

nat (inside) 0 access-list nonat

isakmp key TPICisco address *.*.*.* netmask 255.255.255.255

isakmp key TPICisco address *.*.*.* netmask 255.255.255.255

crypto map transam 3 ipsec-isakmp

crypto map transam 3 match address TPIMilford

crypto map transam 3 set peer 12.39.0.68

crypto map transam 3 set transform-set CISCOPIX

crypto map transam 4 ipsec-isakmp

crypto map transam 4 match address TPIGAP

crypto map transam 4 set peer 209.120.251.34

crypto map transam 4 set transform-set CISCOPIX

ssh 72.2.145.240 255.255.255.0 outside

ssh 209.120.251.59 255.255.255.0 outside

crypto ipsec transform-set dbtrans esp-des esp-md5-hmac

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 2

Thanks for the assistance. I just need to be sure of the order of everything so I don't lose access to the device.

***EDIT***

Is it recommended that I clear XLATE or clear ARP during this process???

Eric Hanke

Hi Eric,

On which interfaces are these ACLs applied:

access-list TPIMilford permit ip 10.2.1.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list TPIGAP permit ip 10.2.1.0 255.255.255.0 192.168.95.0 255.255.255.0

access-list TPIGAP permit ip 10.2.1.0 255.255.255.0 192.168.96.0 255.255.255.0

access-list TPIGAP permit ip 10.2.1.0 255.255.255.0 192.168.97.0 255.255.255.0

And in what direction (inbound/outbound)?

As i'm afraid there is something wrong with your traffic ACLs

Cheers,

These ACL's are used to "match" traffic for the VPN's:

crypto map transam 3 match address TPIMilford

access-list TPIMilford permit ip 10.2.1.0 255.255.255.0 10.1.0.0 255.255.0.0

crypto map transam 4 match address TPIGAP

access-list TPIGAP permit ip 10.2.1.0 255.255.255.0 192.168.95.0 255.255.255.0

access-list TPIGAP permit ip 10.2.1.0 255.255.255.0 192.168.96.0 255.255.255.0

access-list TPIGAP permit ip 10.2.1.0 255.255.255.0 192.168.97.0 255.255.255.0

"no nat (inside) 1 10.0.0.0 255.0.0.0

nat (inside) 1 10.2.0.0 255.255.255.0"

the second line has to have a 255.255.0.0 mask.

"Is it recommended that I clear XLATE or clear ARP during this process???"

No need to clear xlate.

Review Cisco Networking for a $25 gift card