cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
902
Views
0
Helpful
11
Replies

Pix515 VPN with specific internal IP (NAT?)

bertie_uk
Level 1
Level 1

I have a PIX 515E with three VPN tunnels already set up and working fine. They are all configured with no nat (i.e nat (dmz) 0 access-list nonatinside)

I have a fourth VPN to set up, but they already use the same internal IP address (192.168.0.x) and request that my internal host appears as 192.168.20.1

How can I set this up without breaking my existing tunnels? I followed the overlapping configuration example, but not exactly what I'm trying to do.

access-list nonatinside permit ip host 192.168.0.41 host 10.3.1.133

access-list vpn4 permit ip host 192.168.0.41 host 10.3.1.133

sysopt connection permit-ipsec

crypto ipsec transform-set vpn4-set esp-3des esp-md5-hmac

crypto map vpnmap 40 ipsec-isakmp

crypto map vpnmap 40 match address vpn4

crypto map vpnmap 40 set peer x.x.x.x

crypto map vpnmap 40 set transform-set vpn4-set

crypto map vpnmap interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

My host is 192.168.0.41 but as I say, I need it to appear at the other end as 192.168.20.1

Huge thanks in advance

Bertie

1 Accepted Solution

Accepted Solutions

access-list vpn4_nat permit ip host 192.168.0.41 host 10.3.1.133

access-list policy_nat permit ip host 192.168.0.41 any

no static (dmz,outside) 85.x.x.x 192.168.0.41 netmask 255.255.255.255

static (dmz,outside) 192.168.20.1 access-list vpn4_nat

static (dmz,outside) 85.x.x.x access-list policy_nat

clear xlate

So what this does is create 2 policy nat statements. If 192.168.0.41

accesses 10.3.1.133 it will be translated to 192.168.20.1. If 192.168.0.41

goes anywhere else, it will be translated to 85.x.x.x. When you do a "show

xlate" you should see both translations.

I'm not sure if this is best practice or the only way to accomplish this,

but I think it will work.

View solution in original post

11 Replies 11

acomiskey
Level 10
Level 10

Something like this should do the trick....

access-list vpn_nat permit ip host 192.168.0.41 192.168.0.0 255.255.255.0

access-list vpn5 permit ip host 192.168.20.1 192.168.0.0 255.255.255.0

static (inside,outside) 192.168.20.1 access-list vpn_nat

crypto map vpnmap 60 match address vpn5

acomiskey

Thanks for the reply, am still struggling...

I removed the lines:

access-list nonatinside permit ip host 192.168.0.41 host 10.3.1.133

access-list vpn4 permit ip host 192.168.0.41 host 10.3.1.133

crypto map vpnmap 40 ipsec-isakmp

crypto map vpnmap 40 match address vpn4

crypto map vpnmap 40 set peer x.x.x.x

crypto map vpnmap 40 set transform-set vpn4-set

And replaced with your suggestion, completing the crypto map section.

Just now the vpn tunnel doesn't seem to be starting when I access 10.3.1.133 from 192.168.0.41 server.

Thanks

Sorry, thought the other end of the tunnel was 192.168.0.0. Try this...

access-list vpn_nat permit ip host 192.168.0.41 host 10.3.1.133

access-list vpn4 permit ip host 192.168.20.1 host 10.3.1.133

static (inside,outside) 192.168.20.1 access-list vpn_nat

crypto map vpnmap 40 ipsec-isakmp

crypto map vpnmap 40 match address vpn4

crypto map vpnmap 40 set peer x.x.x.x

crypto map vpnmap 40 set transform-set vpn4-set

thanks again

Made those changes but the tunnel is still not being kicked off.

Should say, my software version is PIX Version 6.3(4)

Thanks

Could you verify with a show xlate that the inside host is translating to 192.168.20.1?

No, the only translation is to an external address.

The only difference is I'm using a dmz interfance, not inside.

Could these lines be conflicting?:

nat (dmz) 0 access-list nonatinside

nat (dmz) 1 192.168.0.0 255.255.255.0 0 0

But these are required for the other VPN connections and local access.

Thanks

Ok, so what does your nonatinside acl look like? You should be able to do something like this...

access-list nonatinside deny ip host 192.168.0.41 host 10.3.1.133

access-list nonatinside permit ip .(whatever your existing acl is)

Then...

access-list vpn_nat permit ip host 192.168.0.41 host 10.3.1.133

access-list vpn4 permit ip host 192.168.20.1 host 10.3.1.133

static (dmz,outside) 192.168.20.1 access-list vpn_nat

crypto map vpnmap 40 ipsec-isakmp

crypto map vpnmap 40 match address vpn4

crypto map vpnmap 40 set peer x.x.x.x

crypto map vpnmap 40 set transform-set vpn4-set

Now looks like this:

access-list nonatinside line 1 permit ip host 192.168.0.45 host 10.1.5.12 (hitcnt=0)

access-list nonatinside line 2 permit ip host 192.168.0.43 host 10.112.249.58 (hitcnt=0)

access-list nonatinside line 3 permit ip host 192.168.0.43 host 10.118.1.10 (hitcnt=0)

access-list nonatinside line 4 permit ip host 192.168.0.43 host 10.118.1.13 (hitcnt=0)

access-list nonatinside line 5 deny ip host 192.168.0.41 host 10.3.1.133 (hitcnt=1)

This show the other three vpn connections I have.

It does now seem to be trying, in that the deny line has a hit count. But I have debugging on and nothing.

Thanks

Could you post a more complete config?

email me at richard@teamnetsol.com and i'll reply with the full config

thanks for the assistance

access-list vpn4_nat permit ip host 192.168.0.41 host 10.3.1.133

access-list policy_nat permit ip host 192.168.0.41 any

no static (dmz,outside) 85.x.x.x 192.168.0.41 netmask 255.255.255.255

static (dmz,outside) 192.168.20.1 access-list vpn4_nat

static (dmz,outside) 85.x.x.x access-list policy_nat

clear xlate

So what this does is create 2 policy nat statements. If 192.168.0.41

accesses 10.3.1.133 it will be translated to 192.168.20.1. If 192.168.0.41

goes anywhere else, it will be translated to 85.x.x.x. When you do a "show

xlate" you should see both translations.

I'm not sure if this is best practice or the only way to accomplish this,

but I think it will work.

Review Cisco Networking for a $25 gift card