05-12-2005 08:32 AM
I have a sitution where I need to connect two PIX firewalls over a vpn and as part of a migration, the problem I have is that I cannot change a cubnet on either of the sites so need to be able to complete this with network overloading.
Documentation to do this is limited and the one document I did find drops my access to the internet if I follow it.
The setup is (I have two servers talking to one on the other end:
192.168.0.0/24 -PIX1- -Internet- -PIX2- -192,168.0.0/24
I have a nat for the internt and a global statement for the nat using the interface for internet access, this is a blank setup so there is no tricky access-list or static commands.
Please could someone help
05-12-2005 11:31 AM
Hi,
try this setup, using static policy nat to translate 192.168.0.0/24 to 172.16.1.0/24 for pix 1, and translate 192.168.0.0/24 to 172.16.2.0/24 for pix 2.
Hosts on pix 1 side will use source 172.168.1.0/24 and destination 172.16.2.0/24 to talk to hosts on pix 2 side, while pix 2 side use source 172.16.2.0/24 and destination 172.16.1.0/24 to reach pix 1 side.
#PIX 1
# policy nat (traffic going to pix2 172.16.2.0/24) to 172.16.1.0/0
access-list pnat_first permit ip 192.168.0.0 255.255.255.0 172.16.2.0 255.255.255.0
static(inside, outside) 172.16.1.0 access-list pnat_first
# nat'd traffic added to the interesting traffic thru the tunnel
access-list 101 permit ip ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0
crypto map aptmap 10 match address 101
route outside 172.16.2.0 255.255.255.0 x.x.x.x
#Same setup for pix 2
access-list pnat_first permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0
static(inside, outside) 172.16.2.0 access-list pnat_first
access-list 101 permit ip ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0
crypto map aptmap 10 match address 101
route outside 172.16.1.0 255.255.255.0 x.x.x.x
Please let us know if that helped.
Regards,
Mustafa
05-13-2005 12:01 AM
Mustafa --
Thank you for you help, I am quite sure that this works but one thing I forgot to mention is that I am running PIX OS 6.3(1) and the
#static (inside, outside) 172.16.2.0 access-list command is not allowed, is there another way of doing this
05-13-2005 03:03 AM
What is the next hop going to be in the route command ?
I am trying this in the lab with 6.3(4) but still need to get this working with 6.3(1). my config is as follows :
interface ethernet0 100full
interface ethernet1 10full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list nat_out permit ip 192.168.0.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list vpn_burley.net permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0
ip address outside 211.x.x.2 255.255.255.192
ip address inside 192.168.0.4 255.255.255.0
global (outside) 1 x.x.111.5
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 172.16.2.0 access-list nat_out 0 0
route outside 0.0.0.0 x.x.x.x.111.111.1 1
route outside 172.16.x.x.255.255.0 211.111.111.1 1
sysopt connection permit-ipsec
crypto ipsec transform-set myset ah-sha-hmac esp-des
crypto ipsec transform-set ah-sha-hmac esp-des
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address vpn_burley.net
crypto map vpn 10 set peer 211.222.222.2
crypto map vpn 10 set transform-set myset
isakmp enable outside
isakmp key ******** address 211.222.222.2 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
05-13-2005 12:00 PM
Hi, sorry for the late reply.
I think as long as you have default route:
route outside 0.0.0.0 0.0.0.0 x.x.x.x (next hop is the outside upstream/ISP router)
then you don't need a route for 172.16.x.x
05-15-2005 01:05 PM
Don't you need to use ESP transform when using NAT. AH breaks with NAT because the header is encalsulated.
Chris
05-16-2005 06:18 AM
Chris --
Thanks for that, I niss typed the command I have corrected this. I am still having problems with brining the tunnel up I have followed all the advice listed in this conversation and still no closer to solving my problem. even when I do a debug crypto isakmp, ipsec and engine none of the debug messages appear. Please does someone have a working config to hand as a guide.
05-16-2005 06:54 AM
This is my ammended config.
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
names
access-list nat_out permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list vpn_sweet permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list vpn_sweet permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 212.x.x.x.255.255.240
ip address inside 192.168.0.254 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.72 255.255.255.255 inside
pdm location 213.249.x.x.255.255.0 outside
pdm location 192.168.0.55 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
static (inside,outside) 172.16.2.0 access-list nat_out 0 0
route outside 0.0.0.0 0.x.x.x.10.10.1 1
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address vpn_sweet
crypto map vpn 10 set peer 82.10.10.1
crypto map vpn 10 set transform-set myset
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address 82.10.10.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 60
ssh timeout 5
if it is easier to contact me via email that would be yulunga [@] ukonline.co.uk
05-16-2005 07:05 AM
Maybe we need to start from the beginning.
Can you ping the far side pix? Can the far side ping the local pix?
Must remove crypto access lists first.
Chris
05-16-2005 09:34 AM
Chris --
yes I ssh into the remote pix and can ping from the local pix, these are both 515e R pix boxes.
05-16-2005 12:25 PM
This one worked with pix ver 6.2
LAN1-(192.168.4.0/24) --| PIXa |----| PIXb | -- (192.168.4.0/24)-LAN2
Both Private_LAN1 and Private_LAN2 have an IP subnet of 192.168.4.0/24. This simulates the overlapping address space behind each side of the IPSec tunnel.
In this example, the PIX performs a bi-directional translation so that the two private LANs can communicate over the IPSec tunnel. The translation means that Private_LAN1 "sees" Private_LAN2 as 10.1.1.0/24 through the IPSec tunnel, and Private_LAN2 "sees" Private_LAN1 as 20.1.1.0/24 through the IPSec tunnel.
P520-1(config)#show run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx
passwd xxxx
hostname P520-1
domain-name bru-x.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
!--- Defines IPSec interesting traffic.
!--- Note that the host behind PIX communicates
!--- to Private_LAN1 using 10.1.1.0/24.
!--- When the packets arrive at the PIX, they are first
!--- translated to 192.168.4.0/24 and then encrypted by IPSec.
access-list 101 permit ip 20.1.x.x.255.255.0 192.168.4.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 172.16.x.x.255.255.0
ip address inside 192.168.4.4 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
!--- Static translation defined to translate Private_LAN2
!--- from 192.168.4.0/24 to 10.1.1.0/24.
static (outside,inside) 10.x.x.x.168.4.0 netmask 255.255.255.0 0 0
!--- Static translation defined to translate Private_LAN1
!--- from 192.168.4.0/24 to 20.1.1.0/24.
!--- Note that this translation is used for both
!--- VPN and Internet traffic from Private_LAN1.
!--- A routable global IP address range, or an extra NAT
!--- at the ISP router (in front of PIX), is
!--- required if Private_LAN1 also needs internal access.
static (inside,outside) 20.1.x.x.168.4.0 netmask 255.255.255.0 0 0
route outside 0.0.0.0 x.x.x.16.172.55 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
!--- Defines IPSec encryption and authentication algorithms.
crypto ipsec transform-set myset esp-des esp-md5-hmac
!--- Defines crypto map.
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address 101
crypto map vpn 10 set peer 172.x.x.55
crypto map vpn 10 set transform-set myset
!--- Apply crypto map on the outside interface.
crypto map vpn interface outside
isakmp enable outside
!--- Defines pre-shared secret (cisco123) used for IKE authentication.
isakmp key ******** address 172.16.172.55 netmask 255.255.255.255
isakmp identity address
!--- Defines ISAKMP policy.
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:xxx
: end
05-16-2005 12:58 PM
weslin --
I have had this config working with my two PIX's. This is from thye document VPN overlapping address space between Pix and concentrator. The problem I have with this is the connection to Internet dies, I need a nat statement to allow a overload type scenario for internet traffic, and further advice would gladly be appreciated.
05-19-2005 12:56 PM
Have you finally achieved this config (lan2lan with overlapping networks)?
Can you provide details about?
Regards
05-21-2005 02:36 AM
No i never did get to resolve this email me direct and I will let you know how it pans out, unless you know how to solve this ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide