cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1916
Views
20
Helpful
18
Replies

VPN access-list, tranlation issue

richmorrow624
Level 1
Level 1

I have this scenario with a PIX 525 6.3, this supposedly worked at one time:

I have a device on the inside network that needs to access a remote site network through a VPN tunnel.

Inside network device is 10.11.150.1, needs to access remote device 10.79.15.3.

The remote side is supposed to see my device as a 10.91.6.1 address, I am supposed to see his 10.79.15.3 as my destination.

The tunnel never attempts to come up, none of the access-lists show any hits at all, is there something missing?

It seems like a routing issue or access-list problem, all routes are correct, the firewall can ping my device on this end, but the access-lists never get hits.

crypto map p 30 ipsec-isakmp

crypto map p 30 match address Translate

crypto map p 30 set peer 1.23.45.67

crypto map p 30 set transform-set 3dessha

static (inside,outside) 10.91.6.1 access-list translation 0 0

access-list Translation permit ip host 10.11.150.1 10.79.8.0 255.255.248.0

access-list Translate permit ip 10.91.6.0 255.255.255.240 10.79.8.0 255.255.248.0

18 Replies 18

One last question rico,

in the firewall NO-NAT access-list there is this line:

access-list NO_NAT permit ip any 10.0.0.0 255.0.0.0

wouldn't this match the 10.11.150 subnet and then would prevent the static nat from wotking as you stated above?

10.0.0.0 /8 include 10.11.150.0/24, so every packet IP begin with 10.x will take this NO_NAT rule that why your static nat not work.

try

access-list NO_NAT deny ip host 10.11.150.1 10.79.8.0 255.255.248.0

before

access-list NO_NAT permit ip any 10.0.0.0 255.0.0.0

pix version 6.3 does not support insert ACL line number you need 7.2 up, you have to rewrite the whole ACL.

I think this time you can see your static NAT works, maybe trying initial the vpn tunnel...but still if the other vpn box locate at the same interface side as source it would n't work again. good luck

Thanks for all the help rico,

One last question:

If I remoove the entore access-list and then rewrite it,

Will I cause the exiting VPN tunnels to go down?

Thank you for the post.

Review Cisco Networking for a $25 gift card