10-20-2004 03:24 AM
I have to create a VPN connection to a vendor's network and I have to NAT all connections to that network to 10.32.255.1.
My local net is 192.1.1.0
The destination net is x.x.x.x and the remote device (a 2600) is at y.y.y.y
So I created a policy NAT
access-list NET1 permit ip 192.1.1.0 255.255.255.0 x.x.x.x 255.255.255.0
global (outside) 2 10.32.255.1
nat (inside) 2 access-list NET1 0 0
and then set up the vpn connection:
access-list outside_cryptomap_60 permit ip 10.32.255.0 255.255.255.240 x.x.x.x 255.255.255.0
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
isakmp enable outside
crypto map vpn 60 ipsec-isakmp
crypto map vpn 60 match address outside_cryptomap_60
crypto map vpn 60 set pfs group5
crypto map vpn 60 set peer y.y.y.y
crypto map vpn 60 set transform-set ESP-AES-256-SHA
crypto map vpn 60 set security-association lifetime seconds 3600 kilobytes 4608000
isakmp key ******** address y.y.y.y netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption aes-256
isakmp policy 50 hash sha
isakmp policy 50 group 5
isakmp policy 50 lifetime 86400
The problem is that when I ping the destination subnet all pings fail and the hit count on the access list is not incremented and no isakmp activity occurs.
As far as I can tell, everything is correct but obviously it is not. Can anyone suggest what I am doing wrong?
10-20-2004 07:51 AM
On the first look everything is correct as you mentioned allready.
Hmm have you another router on your inside network or do you use your PIX as the default gateway for the inside hosts? What I am looking for is if there might be a problem in routing for 10.32.255.1.
Check with the "capture" command if you see passing traffic on the outside and inside interface.
Do see error messages.
Are you sure tunnel is up and the other side is routing correctly "show isakmp sa", allowing pings in access-list or icmp command...
How does your ouside interface access-list looks like.
sincerely
Patrick
10-21-2004 12:35 AM
The machine I am pinging from uses the Pix as the default gateway and has no route for 10.32.255.0.
Even if the other side is not configured correctly (and I am assured that it is) surely I should see the traffic going out through the access list (i.e. the hitcount is incremented) even if the other side is incorrect.
When I earlier had the outside_cryptomap_60 using the outside interface rather than the natted address then the hitcount would increment but now it does not. This implies to me that the pings aren't being routed through NAT for some reason.
Show ISAKMP SA shows my other two existing VPNs but nothing for this VPN although it did when I used the external address.
If I turn debug crypto isakmp on, absolutely no messages are generated when I ping the remote hosts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide