04-30-2008 07:43 AM - edited 03-11-2019 05:38 AM
I have a PIX 515E with three VPN tunnels already set up and working fine. They are all configured with no nat (i.e nat (dmz) 0 access-list nonatinside)
I have a fourth VPN to set up, but they already use the same internal IP address (192.168.0.x) and request that my internal host appears as 192.168.20.1
How can I set this up without breaking my existing tunnels? I followed the overlapping configuration example, but not exactly what I'm trying to do.
access-list nonatinside permit ip host 192.168.0.41 host 10.3.1.133
access-list vpn4 permit ip host 192.168.0.41 host 10.3.1.133
sysopt connection permit-ipsec
crypto ipsec transform-set vpn4-set esp-3des esp-md5-hmac
crypto map vpnmap 40 ipsec-isakmp
crypto map vpnmap 40 match address vpn4
crypto map vpnmap 40 set peer x.x.x.x
crypto map vpnmap 40 set transform-set vpn4-set
crypto map vpnmap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
My host is 192.168.0.41 but as I say, I need it to appear at the other end as 192.168.20.1
Huge thanks in advance
Bertie
Solved! Go to Solution.
 
					
				
		
05-01-2008 07:58 AM
access-list vpn4_nat permit ip host 192.168.0.41 host 10.3.1.133
access-list policy_nat permit ip host 192.168.0.41 any
no static (dmz,outside) 85.x.x.x 192.168.0.41 netmask 255.255.255.255
static (dmz,outside) 192.168.20.1 access-list vpn4_nat
static (dmz,outside) 85.x.x.x access-list policy_nat
clear xlate
So what this does is create 2 policy nat statements. If 192.168.0.41
accesses 10.3.1.133 it will be translated to 192.168.20.1. If 192.168.0.41
goes anywhere else, it will be translated to 85.x.x.x. When you do a "show
xlate" you should see both translations.
I'm not sure if this is best practice or the only way to accomplish this,
but I think it will work.
 
					
				
		
04-30-2008 08:05 AM
Something like this should do the trick....
access-list vpn_nat permit ip host 192.168.0.41 192.168.0.0 255.255.255.0
access-list vpn5 permit ip host 192.168.20.1 192.168.0.0 255.255.255.0
static (inside,outside) 192.168.20.1 access-list vpn_nat
crypto map vpnmap 60 match address vpn5
05-01-2008 01:54 AM
acomiskey
Thanks for the reply, am still struggling...
I removed the lines:
access-list nonatinside permit ip host 192.168.0.41 host 10.3.1.133
access-list vpn4 permit ip host 192.168.0.41 host 10.3.1.133
crypto map vpnmap 40 ipsec-isakmp
crypto map vpnmap 40 match address vpn4
crypto map vpnmap 40 set peer x.x.x.x
crypto map vpnmap 40 set transform-set vpn4-set
And replaced with your suggestion, completing the crypto map section.
Just now the vpn tunnel doesn't seem to be starting when I access 10.3.1.133 from 192.168.0.41 server.
Thanks
 
					
				
		
05-01-2008 05:07 AM
Sorry, thought the other end of the tunnel was 192.168.0.0. Try this...
access-list vpn_nat permit ip host 192.168.0.41 host 10.3.1.133
access-list vpn4 permit ip host 192.168.20.1 host 10.3.1.133
static (inside,outside) 192.168.20.1 access-list vpn_nat
crypto map vpnmap 40 ipsec-isakmp
crypto map vpnmap 40 match address vpn4
crypto map vpnmap 40 set peer x.x.x.x
crypto map vpnmap 40 set transform-set vpn4-set
05-01-2008 05:33 AM
thanks again
Made those changes but the tunnel is still not being kicked off.
Should say, my software version is PIX Version 6.3(4)
Thanks
 
					
				
		
05-01-2008 05:43 AM
Could you verify with a show xlate that the inside host is translating to 192.168.20.1?
05-01-2008 06:02 AM
No, the only translation is to an external address.
The only difference is I'm using a dmz interfance, not inside.
Could these lines be conflicting?:
nat (dmz) 0 access-list nonatinside
nat (dmz) 1 192.168.0.0 255.255.255.0 0 0
But these are required for the other VPN connections and local access.
Thanks
 
					
				
		
05-01-2008 06:12 AM
Ok, so what does your nonatinside acl look like? You should be able to do something like this...
access-list nonatinside deny ip host 192.168.0.41 host 10.3.1.133
access-list nonatinside permit ip .(whatever your existing acl is)
Then...
access-list vpn_nat permit ip host 192.168.0.41 host 10.3.1.133
access-list vpn4 permit ip host 192.168.20.1 host 10.3.1.133
static (dmz,outside) 192.168.20.1 access-list vpn_nat
crypto map vpnmap 40 ipsec-isakmp
crypto map vpnmap 40 match address vpn4
crypto map vpnmap 40 set peer x.x.x.x
crypto map vpnmap 40 set transform-set vpn4-set
05-01-2008 06:32 AM
Now looks like this:
access-list nonatinside line 1 permit ip host 192.168.0.45 host 10.1.5.12 (hitcnt=0)
access-list nonatinside line 2 permit ip host 192.168.0.43 host 10.112.249.58 (hitcnt=0)
access-list nonatinside line 3 permit ip host 192.168.0.43 host 10.118.1.10 (hitcnt=0)
access-list nonatinside line 4 permit ip host 192.168.0.43 host 10.118.1.13 (hitcnt=0)
access-list nonatinside line 5 deny ip host 192.168.0.41 host 10.3.1.133 (hitcnt=1)
This show the other three vpn connections I have.
It does now seem to be trying, in that the deny line has a hit count. But I have debugging on and nothing.
Thanks
 
					
				
		
05-01-2008 06:35 AM
Could you post a more complete config?
05-01-2008 06:39 AM
email me at richard@teamnetsol.com and i'll reply with the full config
thanks for the assistance
 
					
				
		
05-01-2008 07:58 AM
access-list vpn4_nat permit ip host 192.168.0.41 host 10.3.1.133
access-list policy_nat permit ip host 192.168.0.41 any
no static (dmz,outside) 85.x.x.x 192.168.0.41 netmask 255.255.255.255
static (dmz,outside) 192.168.20.1 access-list vpn4_nat
static (dmz,outside) 85.x.x.x access-list policy_nat
clear xlate
So what this does is create 2 policy nat statements. If 192.168.0.41
accesses 10.3.1.133 it will be translated to 192.168.20.1. If 192.168.0.41
goes anywhere else, it will be translated to 85.x.x.x. When you do a "show
xlate" you should see both translations.
I'm not sure if this is best practice or the only way to accomplish this,
but I think it will work.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide