Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
638
Views
0
Helpful
2
Replies

Nat IPSEC traffic

achampag
Level 1
Level 1

‎06-21-2005 09:46 PM - edited ‎02-21-2020 01:50 PM

Hi, I have a weird problem.

I have a HUB site using a PIX 515

3 spokes (cisci 831) are connected to the HUB site with an IPSEC Tunnel.

I also have a DMZ Interface on the PIX.

Any communication to that DMZ is nated to a single IP (PAT).

For hosts on the inside interface of the pix everything works fine, they can reach servers behind the DMZ interface.

But any hosts on the VPN cannot.

Here is the PIX config

---------

access-list site1 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list site1 permit ip host 172.20.7.66 192.168.1.0 255.255.255.0

access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat permit ip 192.168.0.0 255.255.0.0 host 172.20.7.66

access-list DMZ permit tcp 192.168.0.0 255.255.0.0 host 172.20.7.66 eq 3389

ip address outside public_int_address 255.255.255.248

ip address inside 192.168.0.1 255.255.255.0

ip address intf2 10.10.58.199 255.255.255.0

global (outside) 2 public_nat_ip_for_internet_access

global (intf2) 1 10.10.58.198

nat (inside) 0 access-list nonat

nat (inside) 1 access-list DMZ 0 0

nat (inside) 2 0.0.0.0 0.0.0.0 0 0

nat (intf2) 1 0.0.0.0 0.0.0.0 0 0

route intf2 172.20.7.66 255.255.255.255 10.10.58.1 1

----------

my crypto map matches acl site1 and packets from site 1 to address 172.20.7.66 are encrypted and decrypted

but do not go through the NAT process since they are coming from the outside interface.

I'm a doing this the wrong way?

Regards

Alex

Labels:
0 Helpful
2 Replies 2

ma4d
Level 1
Level 1

‎06-22-2005 05:13 AM

Alex,

I don't see a statement that would either nat or no_nat traffic from your DMZ to the outside.

It looks like 172.20.7.66 is the address that VPN users want to connect to. If it is, I think you need a static statement in there:

static (intf2,outside) 172.20.7.66 172.20.7.66

At this point, VPN users will be seen on the DMZ interface as coming from 192.168.1.0/24. If you need them to be translated, then you need to do some outside NAT, which can get kind of messy.

0 Helpful

achampag
Level 1
Level 1
In response to ma4d

‎07-06-2005 07:47 AM

Hi

You where right, that line was missing. But i still need to do outside NAT since statement below is never used because the packet from the VPN comes from the Outside interface

nat (inside) 1 access-list DMZ 0 0

I guess I would have to do something like this

static (intf2,outside) 192.168.1.1 172.20.7.66

But then my other VPN would not work since you cannot add another static like:

static (intf2,outside) 192.168.2.1 172.20.7.66

etc..

Thanks

0 Helpful
Customers Also Viewed These Support Documents