cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
394
Views
0
Helpful
7
Replies
DAVID FRAGIACOMO
Beginner

Single address NAT to VPN question

I have a VPN created between company A and company B. Company A is hosting a server that company B has access to and all is working as it should.

The PIX at company A is using a static command to translated the inside addess of the server (10.1.1.20) to an outside address (155.1.1.197). Up to this point company B is initiates all traffic and accesses the server using the outside address of 155.1.1.1

global (outside) 1 interface

nat (int-dmz) 1 10.1.1.0 255.255.255.192 0 0

static (int-dmz,outside) 155.1.1.197 10.1.1.20 netmask 255.255.255.255 0 0

The server hosted at company A needs to initiate a connection to various ip addresses at company B. Being that the traffic is initiated on an interface that has a higher security level (int-dmz) than where it needs to go out of (outside), I know I need to use a NAT command and not a static command.

I’m just not sure of how to enter the correct NAT command to have the traffic initiated on 10.1.1.20 be translated to 155.1.1.197 and placed within the VPN back to company B.

Currently, the ACL for encrypted traffic on the PIX at company A is:

access-list 136 permit ip host 155.1.1.164 object-group CompanyB-Nets

access-list 136 permit ip host 155.1.1.197 object-group CompanyB-Nets

access-list 136 permit ip host 155.1.1.200 object-group CompanyB-Nets

Any help is very much appreciated.

Dave

7 REPLIES 7
Jouni Forss
Mentor

Hi,

I am not sure if I understood you correcrtly.

You say you want the server at Site A to use the IP address 155.1.1.197 towards the Site B hosts. Also are you sure there is not a typo in the above when you state that Site B hosts are currently using the IP address 155.1.1.1 to reach the server?

From the looks of it that should already happen. When you have a Static NAT configured for a host it overrides most of the other NAT configuration types on the PIX firewall. The only configurations that can override this Static NAT is NAT0 configurations usually.

I imagine your PIX firewall cant use "packet-tracer" command so we cant easily test what NAT rule the traffic would hit with that.

But judging by your above configurations your host 10.1.1.20 should already be using the IP address 155.1.1.197 towards the other site unless there is NAT0 or perhaps Static Policy NAT configured on the PIX what would override that.

Also the crypto ACL that you mention above seems to match the NAT rule so I dont see a problem.

What should happen is that the traffic coming from the host 10.1.1.20 reaches the firewall and gets NATed to 155.1.1.197. After that it will match the L2L VPN rules and should be forwarded through the VPN connection.

- Jouni

Jouni -

Thanks for responding.  You are correct about the typo, 155.1.1.1 should have been 155.1.1.197

The other NAT statements applied to the dmz interface are...

     nat (int-dmz) 0 access-list 114

     nat (int-dmz) 1 10.1.1.0 255.255.255.192 0 0

     nat (int-dmz) 1 10.1.1.0 255.255.255.192 0 0

and access-list 114 used in the nat 0 statement is...

     access-list 114 line 1 permit ip 10.1.1.0 255.255.255.192 10.1.0.0 255.255.0.0

     access-list 114 line 2 permit ip 10.1.1.0 255.255.255.192 11.1.0.0 255.255.0.0

     access-list 114 line 3 permit ip 10.1.1.0 255.255.255.192 object-group CompanyC-Hosts

     access-list 114 line 4 deny ip 10.1.1.0 255.255.255.192 any

While I'm writing this response, I noticed line 4 in the ACL above and think that this may be the root of my problems.

Please correct me if I'm wrong, but I would think that I need the following statement in this ACL...

     access-list 114 line 4 permit ip 10.1.1.0 255.255.255.192 object-group CompanyB-Hosts

Thanks again for your help.

- Dave

Hi,

If you configured the ACL line you mention it would mean that NO NAT would be performed for the network 10.1.1.0/24 when its contacting network CompanyB-Hosts in either direction. It would override the "static" statement for the server.

As I dont know the network or hosts IPs of the Company B I cant say if the NAT0 poses currently any problems for the L2L VPN.

But it seems to me that the "static" NAT IP address 155.1.1.197 is used when the host from Company A connects to Company B through the L2L VPN.

Is the currently a problem that the host 10.1.1.20 is NOT showing to the remote site Company B with the public IP address 155.1.1.197 or what is the problem?

- Jouni

The problem is that it doesn't appear that traffic outbound from 10.1.1.20 is being directed into the tunnel.  Below is a topology drawing of the configuration along with some of the commands from the Pix 515.

Hi,

What was your PIX firewalls software level at the moment?

- Jouni

Cisco PIX Firewall Version 6.3(3)

Hi,

Everything I have seen so far would indicate that this should already work.

The bad thing is that the software level is very old and therefore wont support the "packet-tracer" command which would immediately tell us what would happen to the connection initiated from your network.

What is even more strange with this problem is the fact that you say they are already connecting to your server with the public destination IP address through the tunnel. Therefore its even more confusing why it would not work in the other direction.

I dont know if I can do anything about this problem other than maybe look at the complete configuration through and see if anything catches my eye.

I guess we could always check some VPN counters like

show crypto ipsec sa peer x.x.x.x

Where the x.x.x.x is the IP address of the Site B VPN device.

The output should tell us if any traffic is passing between the local 155.1.1.197 and remote 200.1.1.0/24

- Jouni

Content for Community-Ad