Re: Pix to Pix VPN with overlapping networks

yulunga · ‎05-12-2005

I have a sitution where I need to connect two PIX firewalls over a vpn and as part of a migration, the problem I have is that I cannot change a cubnet on either of the sites so need to be able to complete this with network overloading.

Documentation to do this is limited and the one document I did find drops my access to the internet if I follow it.

The setup is (I have two servers talking to one on the other end:

192.168.0.0/24 -PIX1- -Internet- -PIX2- -192,168.0.0/24

I have a nat for the internt and a global statement for the nat using the interface for internet access, this is a blank setup so there is no tricky access-list or static commands.

Please could someone help

mhussein · ‎05-12-2005

Hi,

try this setup, using static policy nat to translate 192.168.0.0/24 to 172.16.1.0/24 for pix 1, and translate 192.168.0.0/24 to 172.16.2.0/24 for pix 2.

Hosts on pix 1 side will use source 172.168.1.0/24 and destination 172.16.2.0/24 to talk to hosts on pix 2 side, while pix 2 side use source 172.16.2.0/24 and destination 172.16.1.0/24 to reach pix 1 side.

#PIX 1

# policy nat (traffic going to pix2 172.16.2.0/24) to 172.16.1.0/0

access-list pnat_first permit ip 192.168.0.0 255.255.255.0 172.16.2.0 255.255.255.0

static(inside, outside) 172.16.1.0 access-list pnat_first

# nat'd traffic added to the interesting traffic thru the tunnel

access-list 101 permit ip ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0

crypto map aptmap 10 match address 101

route outside 172.16.2.0 255.255.255.0 x.x.x.x

#Same setup for pix 2

access-list pnat_first permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0

static(inside, outside) 172.16.2.0 access-list pnat_first

access-list 101 permit ip ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0

crypto map aptmap 10 match address 101

route outside 172.16.1.0 255.255.255.0 x.x.x.x

Please let us know if that helped.

Regards,

Mustafa

yulunga · ‎05-13-2005

Mustafa --

Thank you for you help, I am quite sure that this works but one thing I forgot to mention is that I am running PIX OS 6.3(1) and the

#static (inside, outside) 172.16.2.0 access-list command is not allowed, is there another way of doing this

yulunga · ‎05-13-2005

What is the next hop going to be in the route command ?

I am trying this in the lab with 6.3(4) but still need to get this working with 6.3(1). my config is as follows :

interface ethernet0 100full

interface ethernet1 10full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list nat_out permit ip 192.168.0.0 255.255.255.0 172.16.2.0 255.255.255.0

access-list vpn_burley.net permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0

ip address outside 211.x.x.2 255.255.255.192

ip address inside 192.168.0.4 255.255.255.0

global (outside) 1 x.x.111.5

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 172.16.2.0 access-list nat_out 0 0

route outside 0.0.0.0 x.x.x.x.111.111.1 1

route outside 172.16.x.x.255.255.0 211.111.111.1 1

sysopt connection permit-ipsec

crypto ipsec transform-set myset ah-sha-hmac esp-des

crypto ipsec transform-set ah-sha-hmac esp-des

crypto map vpn 10 ipsec-isakmp

crypto map vpn 10 match address vpn_burley.net

crypto map vpn 10 set peer 211.222.222.2

crypto map vpn 10 set transform-set myset

isakmp enable outside

isakmp key ******** address 211.222.222.2 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

mhussein · ‎05-13-2005

Hi, sorry for the late reply.

I think as long as you have default route:

route outside 0.0.0.0 0.0.0.0 x.x.x.x (next hop is the outside upstream/ISP router)

then you don't need a route for 172.16.x.x

99ckamila · ‎05-15-2005

Don't you need to use ESP transform when using NAT. AH breaks with NAT because the header is encalsulated.

Chris

yulunga · ‎05-16-2005

Chris --

Thanks for that, I niss typed the command I have corrected this. I am still having problems with brining the tunnel up I have followed all the advice listed in this conversation and still no closer to solving my problem. even when I do a debug crypto isakmp, ipsec and engine none of the debug messages appear. Please does someone have a working config to hand as a guide.

yulunga · ‎05-16-2005

This is my ammended config.

PIX Version 6.3(4)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

names

access-list nat_out permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list vpn_sweet permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list vpn_sweet permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside 212.x.x.x.255.255.240

ip address inside 192.168.0.254 255.255.255.0

no ip address intf2

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.0.72 255.255.255.255 inside

pdm location 213.249.x.x.255.255.0 outside

pdm location 192.168.0.55 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.0.0 255.255.255.0 0 0

static (inside,outside) 172.16.2.0 access-list nat_out 0 0

route outside 0.0.0.0 0.x.x.x.10.10.1 1

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-sha-hmac

crypto map vpn 10 ipsec-isakmp

crypto map vpn 10 match address vpn_sweet

crypto map vpn 10 set peer 82.10.10.1

crypto map vpn 10 set transform-set myset

crypto map vpn interface outside

isakmp enable outside

isakmp key ******** address 82.10.10.1 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

telnet timeout 60

ssh timeout 5

if it is easier to contact me via email that would be yulunga [@] ukonline.co.uk

99ckamila · ‎05-16-2005

Maybe we need to start from the beginning.

Can you ping the far side pix? Can the far side ping the local pix?

Must remove crypto access lists first.

Chris

yulunga · ‎05-16-2005

Chris --

yes I ssh into the remote pix and can ping from the local pix, these are both 515e R pix boxes.

weslin · ‎05-16-2005

This one worked with pix ver 6.2

LAN1-(192.168.4.0/24) --| PIXa |----| PIXb | -- (192.168.4.0/24)-LAN2

Both Private_LAN1 and Private_LAN2 have an IP subnet of 192.168.4.0/24. This simulates the overlapping address space behind each side of the IPSec tunnel.

In this example, the PIX performs a bi-directional translation so that the two private LANs can communicate over the IPSec tunnel. The translation means that Private_LAN1 "sees" Private_LAN2 as 10.1.1.0/24 through the IPSec tunnel, and Private_LAN2 "sees" Private_LAN1 as 20.1.1.0/24 through the IPSec tunnel.

P520-1(config)#show run

: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname P520-1

domain-name bru-x.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

!--- Defines IPSec interesting traffic.

!--- Note that the host behind PIX communicates

!--- to Private_LAN1 using 10.1.1.0/24.

!--- When the packets arrive at the PIX, they are first

!--- translated to 192.168.4.0/24 and then encrypted by IPSec.

access-list 101 permit ip 20.1.x.x.255.255.0 192.168.4.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 172.16.x.x.255.255.0

ip address inside 192.168.4.4 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

!--- Static translation defined to translate Private_LAN2

!--- from 192.168.4.0/24 to 10.1.1.0/24.

static (outside,inside) 10.x.x.x.168.4.0 netmask 255.255.255.0 0 0

!--- Static translation defined to translate Private_LAN1

!--- from 192.168.4.0/24 to 20.1.1.0/24.

!--- Note that this translation is used for both

!--- VPN and Internet traffic from Private_LAN1.

!--- A routable global IP address range, or an extra NAT

!--- at the ISP router (in front of PIX), is

!--- required if Private_LAN1 also needs internal access.

static (inside,outside) 20.1.x.x.168.4.0 netmask 255.255.255.0 0 0

route outside 0.0.0.0 x.x.x.16.172.55 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

!--- Defines IPSec encryption and authentication algorithms.

crypto ipsec transform-set myset esp-des esp-md5-hmac

!--- Defines crypto map.

crypto map vpn 10 ipsec-isakmp

crypto map vpn 10 match address 101

crypto map vpn 10 set peer 172.x.x.55

crypto map vpn 10 set transform-set myset

!--- Apply crypto map on the outside interface.

crypto map vpn interface outside

isakmp enable outside

!--- Defines pre-shared secret (cisco123) used for IKE authentication.

isakmp key ******** address 172.16.172.55 netmask 255.255.255.255

isakmp identity address

!--- Defines ISAKMP policy.

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxx

: end

yulunga · ‎05-16-2005

weslin --

I have had this config working with my two PIX's. This is from thye document VPN overlapping address space between Pix and concentrator. The problem I have with this is the connection to Internet dies, I need a nat statement to allow a overload type scenario for internet traffic, and further advice would gladly be appreciated.

jjfaure · ‎05-19-2005

Have you finally achieved this config (lan2lan with overlapping networks)?

Can you provide details about?

Regards

yulunga · ‎05-21-2005

No i never did get to resolve this email me direct and I will let you know how it pans out, unless you know how to solve this ?