Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
395
Views
0
Helpful
4
Replies

pix dmz static nat and VPN

durale1789
Level 1
Level 1

‎11-23-2006 08:03 AM

Hi,

I ve configuration with my pix with a static nat rule which is working fine. However this rule doesn t work trought the vpn tunnel.

Here is my config

access-list DEVPN extended permit ip host 1.1.1.32 255.255.255.224 10.5.45.0 255.255.255.0 (domain vpn encryption)

access-list indmz extended permit icmp any host 1.1.1.40

access-list indmz extended permit icmp 1.1.1.32 255.255.255.224 any

global (dmz) 2 1.1.1.40

static (inside,dmz) 1.1.1.40 2.2.2.2 netmask 255.255.255.255

access-group indmz in interface dmz

i can t ping 1.1.1.40 from 10.5.45.0/24 (through the vpn) but i can talk without the vpn

%PIX-6-302020: Built ICMP connection for faddr x.x.x.x/62801 gaddr 1.1.1.40/0 laddr 2.2.2.2/0 (without vpn)

Teardown ICMP connection for faddr 10.5.45.134/60795 gaddr 1.1.1.40/0 laddr 1.1.1.40/0 (through VPN)

so why in the second line there is no translation from 1.1.1.40 to 2.2.2.2?

Regards,

Labels:
0 Helpful
4 Replies 4

zubairjalal
Level 1
Level 1

‎11-23-2006 11:39 AM

Please post the vpn config and the associated ACL.

0 Helpful

durale1789
Level 1
Level 1
In response to zubairjalal

‎11-24-2006 02:25 AM

vpn acl is already included in the previous post namely DEVPN.

here is the vpn config:

crypto map VPNList 30 match address DEVPN

crypto map VPNList 30 set pfs

crypto map VPNList 30 set peer

crypto map VPNList 30 set transform-set ESP-3DES-SHA

The VPN works fine ... my problem is about the static nat which is not working.

Regards,

0 Helpful

zubairjalal
Level 1
Level 1

‎11-24-2006 03:41 AM

HI.

The only reason why you are not able to ping is because when you are not using VPN, the access list named indmz is being used. Here you have specifically permitted any connection to 1.1.1.40 and replies from 1.1.1.34 to any network.

Now when you have VPN, the ACL named DEVPN is being called. Here you have permitted only traffic from 1.1.1.32 network to the 10.5.45.0. Since ICMP is not stateful, you will have to permit both the request and the replies. I am sure if you add the following line to DEVPN, you should be good to go

access-list DEVPN extended permit icmp 10.5.45.0 255.255.255.0 any

and remove the host keywork from your existing DEVPN ACL. It should be like this

access-list DEVPN extended permit ip 1.1.1.32 255.255.255.224 10.5.45.0 255.255.255.0

--Pls do not forget to rate if useful--

0 Helpful

durale1789
Level 1
Level 1
In response to zubairjalal

‎11-24-2006 04:04 AM

ok so we can forget icmp. let's take ssh instead from the remote network, the acl access-list DEVPN extended permit ip 1.1.1.32 255.255.255.224 10.5.45.0 255.255.255.0 should be enought.

Built local-host outside:10.5.45.134

%PIX-7-609001: Built local-host dmz:1.1.1.40

%PIX-6-302013: Built inbound TCP connection 30 for outside:10.5.45.134/36710 (10.5.45.134/36710) to dmz:1.1.1.40/22 (1.1.1.40/22). There are still no translation.

0 Helpful
Customers Also Viewed These Support Documents