02-17-2005 08:26 AM - edited 02-20-2020 11:58 PM
Hello,
I'm looking for any docs about how to setup a pix to concentrator ipsec tunnel, all the IP's behind the pix (inside) should be NAT'ed to one IP and have access to the network behind the Concentrator.
Any help will be appreciated.
TYIA
Solved! Go to Solution.
02-20-2005 02:18 PM
Yes, doesn't make any difference. The policy-NAT'ing for the IPsec traffic takes precedence over the standard PAT for Internet traffic, so traffic destined over the tunnel will be policy-NAT'd rather than "normal" NAT'd on it's way through. The encryption ACL will then match as the packet is sent and it will be encrypted and sent over the tunnel.
02-17-2005 05:12 PM
There's a sample for a standard LAN-to-LAN tunnel between a PIX and VPN3000 here:
Your's will a little different becasue you want to NAt all the traffic from the PIX before encrypting it, which is not the "normal" way to do it. It's not really any more difficult though when you take into consideration that NAT'ing happens BEFORE encryption within the PIX.
In the sample config you would not have the following line:
nat (inside) 0 access-list 101
because this is specifically telling the PIX not to NAT the encrypted traffic. You will set up policy-based NAT'ing instead, telling the PIX that any traffic from behind the PIX to behind the 3000 will be NAT'd to say, 1.1.1.1, and any other traffic outbound from the PIX will be NAT's as normal.
Using the IP addresses in the sample config, and as I said NAT'ing all the traffic to 1.1.1.1, you would add the following:
access-list l2ltraffic permit ip 10.13.1.0 255.255.255.0 10.31.1.0 255.255.255.0
nat (inside) 50 access-list l2ltraffic
global (outside) 50 1.1.1.1
So, all packets going from 10.13.1.0/24 to 10.31.1.0/24 will be NAT'd to 1.1.1.1. Now you need to tell the PIX to encrypt this traffic and send it over the tunnel (remember, the NAT'ing happens BEFORE the encryption). In the sample config, change access-list 101 to be the NAT'd traffic rather than the un-NAT'd traffic as follows:
access-list 101 permit ip host 1.1.1.1 10.31.1.0 255.255.255.0
That's it on the PIX. Now on the VPN3000 you have to define the Local and Remote networks under the LAN-to-LAN tunnel set up to be the reverse of the PIX crypto ACL (section 4 in the VPN3000 config section in the sample config). So, your Local Network is 10.31.1.0/24, and your Remote Network becomes simply 1.1.1.1/32.
02-18-2005 03:09 AM
Is this the same if your PIx is configured for PAT?
02-20-2005 02:18 PM
Yes, doesn't make any difference. The policy-NAT'ing for the IPsec traffic takes precedence over the standard PAT for Internet traffic, so traffic destined over the tunnel will be policy-NAT'd rather than "normal" NAT'd on it's way through. The encryption ACL will then match as the packet is sent and it will be encrypted and sent over the tunnel.
02-25-2005 08:44 AM
Hi there,
I can't seem to get it to NAT the ACL to the global IP I setup.
example global (50) x.x.x.x
Nat (50) acl
Can you help?
02-27-2005 02:43 PM
Thanks Glenn! It is good to know the precedence or order of operation for the different NATs/PATs/statics and how to take advantage of it.
Regards,
Mustafa
02-23-2005 09:42 AM
Thanks for the response,
I tried this several times, it sees my ACL but the tunnel never starts to build, it does NAT it but tunnel never builds
I get
portmap translation creation failed for tcp src inside:....
02-23-2005 09:49 AM
Actually when I do a a show xlate I never see internal IP's xlated to the global ip ....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide