06-21-2005 09:46 PM - edited 02-21-2020 01:50 PM
Hi, I have a weird problem.
I have a HUB site using a PIX 515
3 spokes (cisci 831) are connected to the HUB site with an IPSEC Tunnel.
I also have a DMZ Interface on the PIX.
Any communication to that DMZ is nated to a single IP (PAT).
For hosts on the inside interface of the pix everything works fine, they can reach servers behind the DMZ interface.
But any hosts on the VPN cannot.
Here is the PIX config
---------
access-list site1 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list site1 permit ip host 172.20.7.66 192.168.1.0 255.255.255.0
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat permit ip 192.168.0.0 255.255.0.0 host 172.20.7.66
access-list DMZ permit tcp 192.168.0.0 255.255.0.0 host 172.20.7.66 eq 3389
ip address outside public_int_address 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
ip address intf2 10.10.58.199 255.255.255.0
global (outside) 2 public_nat_ip_for_internet_access
global (intf2) 1 10.10.58.198
nat (inside) 0 access-list nonat
nat (inside) 1 access-list DMZ 0 0
nat (inside) 2 0.0.0.0 0.0.0.0 0 0
nat (intf2) 1 0.0.0.0 0.0.0.0 0 0
route intf2 172.20.7.66 255.255.255.255 10.10.58.1 1
----------
my crypto map matches acl site1 and packets from site 1 to address 172.20.7.66 are encrypted and decrypted
but do not go through the NAT process since they are coming from the outside interface.
I'm a doing this the wrong way?
Regards
Alex
06-22-2005 05:13 AM
Alex,
I don't see a statement that would either nat or no_nat traffic from your DMZ to the outside.
It looks like 172.20.7.66 is the address that VPN users want to connect to. If it is, I think you need a static statement in there:
static (intf2,outside) 172.20.7.66 172.20.7.66
At this point, VPN users will be seen on the DMZ interface as coming from 192.168.1.0/24. If you need them to be translated, then you need to do some outside NAT, which can get kind of messy.
07-06-2005 07:47 AM
Hi
You where right, that line was missing. But i still need to do outside NAT since statement below is never used because the packet from the VPN comes from the Outside interface
nat (inside) 1 access-list DMZ 0 0
I guess I would have to do something like this
static (intf2,outside) 192.168.1.1 172.20.7.66
But then my other VPN would not work since you cannot add another static like:
static (intf2,outside) 192.168.2.1 172.20.7.66
etc..
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide