06-09-2003 06:29 AM - edited 02-20-2020 10:47 PM
Hi, I have a question....
Is it possible to configure NAT + Vpn?
I read
but i can't understand how it works.
If it is possible can you give me an example of a working configuration?
06-10-2003 06:31 AM
Sure.
We will use internal network 192.168.0.x 255.255.255.0
We will use other networks as 172.16.x.x 255.255.0.0
Are you looking to run a point to point VPN or a VPN group? You will need your global range or interface to allow the inside traffic to nat out.
i.e. global (outside) 1 interface (PAT)
or global (outside) 1 x.x.x.x - x.x.x.x (This being a range of IP's)
You will then need to associate the NAT statement with the global
nat (inside) 1 0.0.0.0 0.0.0.0 (this will NAT everyone)
or nat (inside) 1 192.168.0.1 (for a one to one)
For a point to point VPN you will want to configure you CRYPTO MAP and YOUR ISAKMP.
Once this is complete you will need to create you access-list to allow the interesting traffic to traverse the tunnel
i.e. access-list 100 permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0
and access-list 101 permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0
You will then need a nat statement as follows. This tells the traffic designated in the access not to NAT but to use the tunnel.
nat (inside) 0 access-list 100
You will apply the second access-list to crypto-map match address 101
i.e. crypto map (map name) 10 match address 101
Lastly you will need to add the crypto map to the interface with
crypto map (mapname) interface outside
Let me know how you are looking to configure your VPN and I can give you more detail.
06-10-2003 07:55 AM
This is my conf and don't work....
Result of PIX command: "show crypto isakmp sa"
Total : 1
Embryonic : 1
dst src state pending created
x.x.177.10 x.x.100.50 MM_KEY_EXCH 0 0
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname
domain-name
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list inside_access_in permit tcp x.x.10.0 255.255.255.0 any range ftp-data smtp
access-list inside_access_in permit tcp any any eq domain
access-list inside_access_in permit tcp any any eq www
access-list inside_access_in permit udp any any eq domain
access-list inside_access_in deny udp any range 1 65535 any range 1 65535
access-list outside_access_in permit tcp any host x.x.100.50 eq telnet
access-list outside_access_in permit tcp any host x.x.100.50 eq www
access-list outside_access_in deny tcp any any
access-list 101 permit ip x.x.10.0 255.255.255.0 x.x.0.0 255.255.255.0
pager lines 24
logging on
logging trap informational
logging facility 23
logging host inside x.x.10.199
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside x.x.100.50 255.255.255.0
ip address inside x.x.10.25 255.255.255.0
ip verify reverse-path interface outside
ip audit info action drop
ip audit attack action alarm
pdm location x.x.0.157 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 60
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www x.x.10.199 www netmask 255.255.255.255 0 0
static (inside,outside) x.x.10.25 x.x.100.50 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
http server enable
http x.x.10.0 255.255.255.0 inside
http x.x.10.157 255.255.255.255 inside
http x.x.10.35 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt security fragguard
sysopt connection permit-ipsec
sysopt noproxyarp outside
no sysopt route dnat
crypto ipsec transform-set Alb esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer x.12.177.10
crypto map transam 1 set transform-set Alb
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address x.12.177.10 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet x.x.10.157 255.255.255.255 inside
telnet x.x.10.35 255.255.255.255 inside
telnet timeout 5
ssh x.x.10.157 255.255.255.255 inside
ssh timeout 5
dhcpd dns x.94.0.1 x.94.0.2
dhcpd auto_config outside
terminal width 80
Please Help me!
I thank you in advance
06-11-2003 04:50 PM
Config looks OK, we need more information other than "and don't work" to be able to help you though.
What is the other side of this tunnel? Are you absolutely sure it's configured properly with matching Phase 1 and 2 parameters? Can you run "debug cry isa" and "debug cry sa" on this PIX and then try and bring up the tunnel and post the output for us?
06-13-2003 02:11 AM
The problem was in the other side of the tunnel!
The conf at this moment work fine.
Thank 's for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide