Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
542
Views
0
Helpful
2
Replies

Site-to-Site VPN Using NAT

jaimie.harris
Level 1
Level 1

‎10-20-2004 03:24 AM

I have to create a VPN connection to a vendor's network and I have to NAT all connections to that network to 10.32.255.1.

My local net is 192.1.1.0

The destination net is x.x.x.x and the remote device (a 2600) is at y.y.y.y

So I created a policy NAT

access-list NET1 permit ip 192.1.1.0 255.255.255.0 x.x.x.x 255.255.255.0

global (outside) 2 10.32.255.1

nat (inside) 2 access-list NET1 0 0

and then set up the vpn connection:

access-list outside_cryptomap_60 permit ip 10.32.255.0 255.255.255.240 x.x.x.x 255.255.255.0

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

isakmp enable outside

crypto map vpn 60 ipsec-isakmp

crypto map vpn 60 match address outside_cryptomap_60

crypto map vpn 60 set pfs group5

crypto map vpn 60 set peer y.y.y.y

crypto map vpn 60 set transform-set ESP-AES-256-SHA

crypto map vpn 60 set security-association lifetime seconds 3600 kilobytes 4608000

isakmp key ******** address y.y.y.y netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 50 authentication pre-share

isakmp policy 50 encryption aes-256

isakmp policy 50 hash sha

isakmp policy 50 group 5

isakmp policy 50 lifetime 86400

The problem is that when I ping the destination subnet all pings fail and the hit count on the access list is not incremented and no isakmp activity occurs.

As far as I can tell, everything is correct but obviously it is not. Can anyone suggest what I am doing wrong?

Labels:
0 Helpful
2 Replies 2

Patrick Iseli
Level 7
Level 7

‎10-20-2004 07:51 AM

On the first look everything is correct as you mentioned allready.

Hmm have you another router on your inside network or do you use your PIX as the default gateway for the inside hosts? What I am looking for is if there might be a problem in routing for 10.32.255.1.

Check with the "capture" command if you see passing traffic on the outside and inside interface.

Do see error messages.

Are you sure tunnel is up and the other side is routing correctly "show isakmp sa", allowing pings in access-list or icmp command...

How does your ouside interface access-list looks like.

sincerely

Patrick

0 Helpful

jaimie.harris
Level 1
Level 1
In response to Patrick Iseli

‎10-21-2004 12:35 AM

The machine I am pinging from uses the Pix as the default gateway and has no route for 10.32.255.0.

Even if the other side is not configured correctly (and I am assured that it is) surely I should see the traffic going out through the access list (i.e. the hitcount is incremented) even if the other side is incorrect.

When I earlier had the outside_cryptomap_60 using the outside interface rather than the natted address then the hitcount would increment but now it does not. This implies to me that the pings aren't being routed through NAT for some reason.

Show ISAKMP SA shows my other two existing VPNs but nothing for this VPN although it did when I used the external address.

If I turn debug crypto isakmp on, absolutely no messages are generated when I ping the remote hosts.

0 Helpful
Customers Also Viewed These Support Documents