11-11-2002 12:57 AM - edited 02-21-2020 12:10 PM
Hi all!
I have configured a VPN connection between a PIX and a router. The IPSec works well. The scenario is the following:
http://www.olivetti.hu/csulok/ipsec%20pix2rtr.gif
The config of the PIX:
http://www.olivetti.hu/csulok/pix.txt
The good config of the router:
http://www.olivetti.hu/csulok/config.txt
The problem is that in the working configuration of the router the real inside interface is the IP NAT OUTSIDE and the real outside is the IP NAT INSIDE. If I change the router config like below, the connection fails when I ping from Host A the Host B's 10.111.130.55 IP address. The echo-replys can be seen on the router but no NAT is performed.
What can be the problem?
Config change:
interface FastEthernet0/0
ip address 195.228.140.213 255.255.255.248
ip nat outside
crypto map profis
!
interface FastEthernet0/1
ip address 10.111.130.68 255.255.255.0 secondary
ip address 11.111.130.68 255.255.255.0 secondary
ip address 192.168.202.249 255.255.255.0
ip nat inside
!
ip nat pool banknak 10.111.130.68 10.111.130.68 prefix-length 24
ip nat outside source list 150 pool banknak
The NAT debug on router (no NAT for echo-replys):
23:37:59: NAT*: s=192.168.201.2->10.111.130.69, d=10.111.130.55 [295]
23:38:01: NAT*: s=192.168.201.2->10.111.130.69, d=10.111.130.55 [296]
23:38:03: NAT*: s=192.168.201.2->10.111.130.69, d=10.111.130.55 [297]
23:38:05: NAT*: s=192.168.201.2->10.111.130.69, d=10.111.130.55 [298]
23:38:07: NAT*: s=192.168.201.2->10.111.130.69, d=10.111.130.55 [299]
11-11-2002 05:59 AM
Try:
!
interface FastEthernet0/0
ip address 195.228.140.213 255.255.255.248
ip nat outside
crypto map profis
!
interface FastEthernet0/1
ip address 10.111.130.68 255.255.255.0 secondary
ip address 11.111.130.68 255.255.255.0 secondary
ip address 192.168.202.249 255.255.255.0
ip nat inside
!
ip nat inside source static 10.111.130.69 172.16.130.69
ip nat inside source list 150 pool banknak overload (if you want all of the 10.111.130.0 to 192.168.201.0 traffic NATed)
ip nat pool banknak 172.16.130.70 172.16.130.70 prefix-length 24
!
access-list 150 permit ip 10.111.130.0 0.0.0.255 192.168.201.0 0.0.0.255
!
And remember that NAT is performed before the crypto map statements/acls.
eg
crypto map profis 1 ipsec-isakmp
set peer 195.228.140.212
set transform-set transx
match address 120
access-list 120 permit ip host 172.16.130.69 192.168.201.0 0.0.0.255
Hope it helps.
Steve
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide