Re: PIX 501 problem

albatech · ‎06-09-2003

Hi, I have a question....

Is it possible to configure NAT + Vpn?

I read

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

but i can't understand how it works.

If it is possible can you give me an example of a working configuration?

j.cusick · ‎06-10-2003

Sure.

We will use internal network 192.168.0.x 255.255.255.0

We will use other networks as 172.16.x.x 255.255.0.0

Are you looking to run a point to point VPN or a VPN group? You will need your global range or interface to allow the inside traffic to nat out.

i.e. global (outside) 1 interface (PAT)

or global (outside) 1 x.x.x.x - x.x.x.x (This being a range of IP's)

You will then need to associate the NAT statement with the global

nat (inside) 1 0.0.0.0 0.0.0.0 (this will NAT everyone)

or nat (inside) 1 192.168.0.1 (for a one to one)

For a point to point VPN you will want to configure you CRYPTO MAP and YOUR ISAKMP.

Once this is complete you will need to create you access-list to allow the interesting traffic to traverse the tunnel

i.e. access-list 100 permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0

and access-list 101 permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0

You will then need a nat statement as follows. This tells the traffic designated in the access not to NAT but to use the tunnel.

nat (inside) 0 access-list 100

You will apply the second access-list to crypto-map match address 101

i.e. crypto map (map name) 10 match address 101

Lastly you will need to add the crypto map to the interface with

crypto map (mapname) interface outside

Let me know how you are looking to configure your VPN and I can give you more detail.

albatech · ‎06-10-2003

This is my conf and don't work....

Result of PIX command: "show crypto isakmp sa"

Total : 1

Embryonic : 1

dst src state pending created

x.x.177.10 x.x.100.50 MM_KEY_EXCH 0 0

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password encrypted

passwd encrypted

hostname

domain-name

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list inside_access_in permit tcp x.x.10.0 255.255.255.0 any range ftp-data smtp

access-list inside_access_in permit tcp any any eq domain

access-list inside_access_in permit tcp any any eq www

access-list inside_access_in permit udp any any eq domain

access-list inside_access_in deny udp any range 1 65535 any range 1 65535

access-list outside_access_in permit tcp any host x.x.100.50 eq telnet

access-list outside_access_in permit tcp any host x.x.100.50 eq www

access-list outside_access_in deny tcp any any

access-list 101 permit ip x.x.10.0 255.255.255.0 x.x.0.0 255.255.255.0

pager lines 24

logging on

logging trap informational

logging facility 23

logging host inside x.x.10.199

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside x.x.100.50 255.255.255.0

ip address inside x.x.10.25 255.255.255.0

ip verify reverse-path interface outside

ip audit info action drop

ip audit attack action alarm

pdm location x.x.0.157 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 60

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www x.x.10.199 www netmask 255.255.255.255 0 0

static (inside,outside) x.x.10.25 x.x.100.50 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 x.x.100.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

http server enable

http x.x.10.0 255.255.255.0 inside

http x.x.10.157 255.255.255.255 inside

http x.x.10.35 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt security fragguard

sysopt connection permit-ipsec

sysopt noproxyarp outside

no sysopt route dnat

crypto ipsec transform-set Alb esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 101

crypto map transam 1 set peer x.12.177.10

crypto map transam 1 set transform-set Alb

crypto map transam interface outside

isakmp enable outside

isakmp key ******** address x.12.177.10 netmask 255.255.255.255

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

telnet x.x.10.157 255.255.255.255 inside

telnet x.x.10.35 255.255.255.255 inside

telnet timeout 5

ssh x.x.10.157 255.255.255.255 inside

ssh timeout 5

dhcpd dns x.94.0.1 x.94.0.2

dhcpd auto_config outside

terminal width 80

Please Help me!

I thank you in advance

gfullage · ‎06-11-2003

Config looks OK, we need more information other than "and don't work" to be able to help you though.

What is the other side of this tunnel? Are you absolutely sure it's configured properly with matching Phase 1 and 2 parameters? Can you run "debug cry isa" and "debug cry sa" on this PIX and then try and bring up the tunnel and post the output for us?

albatech · ‎06-13-2003

The problem was in the other side of the tunnel!

The conf at this moment work fine.

Thank 's for your help.