Re: PIX520 Site to Site VPN NAT problem - Page 2

deanwesthead · ‎04-28-2008

I am trying to get a site to site VPN established from a PIX520. There is only one outside interface IP and NAT is setup on the PIX. The NAT works fine for general web/email etc and all inside hosts connect to websites reporting their IP as the outside interfaces IP.

The problem I'm having is that the VPN isn't doing the NAT. The tunnel passes stage 1 but then the inside host that is trying to connect is still connecting using it's own inside IP and not being natted to the outside interfaces ip.

I have been reading various info for about a week and I have even removed all the "nonat" entries on the PIX but it still does not get natted.

Any ideas ?

acomiskey · ‎04-30-2008

Why is the route to tsclients to 192.168.0.1? Shouldn't it be to 10.192.10.1?

deanwesthead · ‎04-30-2008

It's OK - this time it's just me. I did the cut and paste above after I had tried changing the default route for tsclients to point to it's vlan IP ( clutching a straws basically ! ). It made no difference and it's now back to 10.192.10.1 .... but still doesn't work.

I can't beleive the trouble this is causing. I thought getting the VPN up was going to be the hard part as routing to everything else is fine. After your first suggested remedy for the VPN brought it up first time I thought I was on a winner ! Here I am 2 days later and I can't get the routing right.

I really appreciate all the help you are giving me. As I said I don't have much experiance with PIX.

acomiskey · ‎04-30-2008

At this point, I suggest you do some logging on the pix to verify the ping is in fact coming back over the tunnel.

deanwesthead · ‎04-30-2008

OK Thanks. That will be my task for the morning. I'm still not convinced that the 3rd party at the remote end are sending it back to but I have no way of confirming it except to ask them and they say they are. I will try and setup the logging on the PIX tomorrow and see what that shows.

I will keep you posted.

Thanks.

deanwesthead · ‎05-02-2008

Hi,

I don't seem to be getting any usefull info from the PIX logs excpt that when the tunnel is up, if I ping the remote end I can see 1 packet going out and one packet coming in.

Also wouldn't the fact that if I ping from the PIX cli and I get the response back, doesn't that mean it is looking ok via the tunnel ?

Does traffic generated from the PIX cli still go through all the acl's and routing info that is configured in the PIX ?

If so I can't understand why it works from the PIX cli but not from the cli of 5500 on the inside interface ?

I'm really not sure where to go from here.

acomiskey · ‎05-02-2008

Add this to the pix, then see if an inside client can ping something on the internet.

access-list acl_out permit icmp any any

access-group acl_out in interface outside

deanwesthead · ‎05-02-2008

I can ping stuff on the internet from a host on the inside now anyway. I can happily ping www.google.com and get the replies back with now problems. it's just hosts over the VPN i can't get too. Pinging www.google.com I get :

U:\>ping www.google.com

Pinging www.l.google.com [66.102.9.99] with 32 bytes of data:

Reply from 66.102.9.99: bytes=32 time=23ms TTL=244

Reply from 66.102.9.99: bytes=32 time=21ms TTL=244

Reply from 66.102.9.99: bytes=32 time=26ms TTL=244

Ping statistics for 66.102.9.99:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 21ms, Maximum = 26ms, Average = 22ms

U:\>

I have added that line anyway and it still doesn't ping over the VPN.

I have spent a bit more time sanatizing the pix config so it may make a bit more sense to you now ! I have attached the new file.

acomiskey · ‎05-02-2008

Sorry, it's easy to lose track of all these posts.

acomiskey · ‎05-02-2008

You don't need this...

no access-list outside_cryptomap_20 permit ip required_vpn 255.255.255.0 interface outside