Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1912
Views
20
Helpful
18
Replies

VPN access-list, tranlation issue

richmorrow624
Level 1
Level 1

‎04-12-2007 11:09 AM - edited ‎03-11-2019 02:59 AM

I have this scenario with a PIX 525 6.3, this supposedly worked at one time:

I have a device on the inside network that needs to access a remote site network through a VPN tunnel.

Inside network device is 10.11.150.1, needs to access remote device 10.79.15.3.

The remote side is supposed to see my device as a 10.91.6.1 address, I am supposed to see his 10.79.15.3 as my destination.

The tunnel never attempts to come up, none of the access-lists show any hits at all, is there something missing?

It seems like a routing issue or access-list problem, all routes are correct, the firewall can ping my device on this end, but the access-lists never get hits.

crypto map p 30 ipsec-isakmp

crypto map p 30 match address Translate

crypto map p 30 set peer 1.23.45.67

crypto map p 30 set transform-set 3dessha

static (inside,outside) 10.91.6.1 access-list translation 0 0

access-list Translation permit ip host 10.11.150.1 10.79.8.0 255.255.248.0

access-list Translate permit ip 10.91.6.0 255.255.255.240 10.79.8.0 255.255.248.0

Labels:
0 Helpful
18 Replies 18

richmorrow624
Level 1
Level 1
In response to rico_hao40

‎04-16-2007 04:56 AM

One last question rico,

in the firewall NO-NAT access-list there is this line:

access-list NO_NAT permit ip any 10.0.0.0 255.0.0.0

wouldn't this match the 10.11.150 subnet and then would prevent the static nat from wotking as you stated above?

0 Helpful

rico_hao40
Level 1
Level 1
In response to richmorrow624

‎04-16-2007 07:47 AM

10.0.0.0 /8 include 10.11.150.0/24, so every packet IP begin with 10.x will take this NO_NAT rule that why your static nat not work.

try

access-list NO_NAT deny ip host 10.11.150.1 10.79.8.0 255.255.248.0

before

access-list NO_NAT permit ip any 10.0.0.0 255.0.0.0

pix version 6.3 does not support insert ACL line number you need 7.2 up, you have to rewrite the whole ACL.

I think this time you can see your static NAT works, maybe trying initial the vpn tunnel...but still if the other vpn box locate at the same interface side as source it would n't work again. good luck

0 Helpful

richmorrow624
Level 1
Level 1
In response to rico_hao40

‎04-16-2007 08:37 AM

Thanks for all the help rico,

One last question:

If I remoove the entore access-list and then rewrite it,

Will I cause the exiting VPN tunnels to go down?

0 Helpful

richmorrow624
Level 1
Level 1
In response to jmia

‎04-15-2007 05:47 PM

Thank you for the post.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card