Solved: Re: Site to Site VPN with NAT (PIX 7.2)

kgreenway · ‎04-01-2010

Hi All,

I'm hoping for some help with PIX config. tbh I'd class myself as a newb on PIX, only dabbling in it every 6 months or so..

I'm required to setup a site to site VPN between our UK and US Office, to replace our Frame Relay link. I have configured several site to site VPN's on the PIX before, so am reasonably ok with the config aspect of that. What is a new concept to me is the requirements of NAT'ing over the IPSEC tunnel.

The US office requires us to NAT our source addresses (i.e 192.168.1.0) to useable address on their side (i.e. 143.102.89.0). The tunnel should then be set to encrypt traffic from 143.102.89.0/24 to 172.24.0.0/14.

I have added the following config, and hoping to test this when the US office comes on line today.

If I Ping from source 192.168.1.0 to 172.24.x.x and run a SH NAT INSIDE, the NAT Translation looks good.

match ip inside 192.168.1.0 255.255.255.0 outside 172.24.0.0 255.252.0.0
static translation to 143.102.89.0
translate_hits = 4, untranslate_hits = 0

Could somebody please browse through the following config lines and comment if there are any mistakes?

Many Thanks,

Kevin

access-list ipsec-dallas extended permit ip 143.102.89.0 255.255.255.0 172.24.0.0 255.252.0.0

access-list policy-nat-dallas extended permit ip 192.168.1.0 255.255.255.0 172.24.0.0 255.252.0.0

static (inside,outside) 143.102.89.0 access-list policy-nat-dallas

crypto ipsec transform-set 3desmd5set esp-3des esp-md5-hmac

crypto map dyn-map 40 match address ipsec-dallas

crypto map dyn-map 40 set peer 143.101.6.141

crypto map dyn-map 40 set transform-set 3desmd5set

crypto map dyn-map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

tunnel-group 143.101.6.141 type ipsec-l2l

tunnel-group 143.101.6.141 ipsec-attributes

pre-shared-key *

Jennifer Halim · ‎04-01-2010

You can configure NAT/Global pair for the remainder of the users.

For example:

You can use the ACL originally configured:

access-list policy-nat-dallas extended permit ip 192.168.1.0 255.255.255.0 172.24.0.0 255.252.0.0
nat (inside) 1 access-list policy-nat-dallas

global (outside) 1 143.102.89.x

The static statement that you have configured earlier will take precedence over the above. So the printer gets statically NATed to 143.102.89.10, and the rest can get PATed to another ip address 143.102.89.x.

Please be advised that for PAT, the traffic can only be initiated from 192.168.1.0/24 LAN towards 172.24.0.0/14, not the other way.

Hope that helps.

View solution in original post

Jennifer Halim · ‎04-01-2010

Config looks perfect.

Just want to confirm that143.102.89.0/24 is actually being routed towards UK office, right?

kgreenway · ‎04-01-2010

Good question and thanks for replying.

It's actually not, but I assumed I wouldn't need it, as I was NAT'ing 143.102.89.x to 192.168.1.x. This is where I struggle, as where I've used NAT in the past has been mapping from a Global to Local address.

The routes I have on the PIX currently are:

route outside 0.0.0.0 0.0.0.0 83.x.x.1 1
route inside 192.168.0.0 255.255.192.0 172.16.22.2 1

If it helps and you don't mind assisting, I could send a sanitized config from the PIX?

Thanks again for you help.

Kevin

Jennifer Halim · ‎04-01-2010

Sure, feel free to send the sanitised config across.

So just to confirm, 143.102.89.x is only locally significant to the 2 offices, right? From US office, 143.102.89.x is being routed towards the site-to-site VPN to the UK office?

kgreenway · ‎04-01-2010

Yep, thats correct 143.102.89.0 is only significant between the two offices. It terminates at the tunnel in the UK effectively, or at least thats what I want to achieve.

I have uploaded my config.

I have now also established that the tunnel is alive, and is at least encapsulating packets. However I am unable to ping, but I suspect that could be the US side.

Running a sh NAT and sh crypto ipsec sa, you can see the PIX is translating 192.168.1.0 to 143.102.89.0 and is encapsulating packets, so looks good from here.

Crypto map tag: dyn-map, seq num: 40, local addr: 83...

access-list ipsec-dallas permit ip 143.102.89.0 255.255.255.0 172.24.0.0 2

55.252.0.0

local ident (addr/mask/prot/port): (143.102.89.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.24.0.0/255.252.0.0/0/0)

current_peer: 143.101.6.141

#pkts encaps: 59, #pkts encrypt: 59, #pkts digest: 59

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 59, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 83..., remote crypto endpt.: 143...

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 92677E58

inbound esp sas:

spi: 0xB7FF12AD (3086946989)

transform: esp-3des esp-md5-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 99, crypto-map: dyn-map

sa timing: remaining key lifetime (kB/sec): (3825000/28114)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x92677E58 (2456256088)

transform: esp-3des esp-md5-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 99, crypto-map: dyn-map

sa timing: remaining key lifetime (kB/sec): (3824994/28114)

IV size: 8 bytes

replay detection support: Y

match ip inside 192.168.1.0 255.255.255.0 outside 172.24.0.0 255.252.0.0

static translation to 143.102.89.0

translate_hits = 58, untranslate_hits = 0

Thanks again for your assistance.

Kevin

Jennifer Halim · ‎04-01-2010

Base on the show crypto ipsec sa output, the traffic is encrypted, and no return traffic from US.

US might want to double check the config, and make sure that NAT exemption is configured from 172.24.0.0/14 towards 143.102.89.0/24.

Can you share US config?

kgreenway · ‎04-01-2010

I'm just waiting for the tech to arrive at his office. I will try to obtain the config from him and share it with you.

Thanks for confirming this.

Kevin

kgreenway · ‎04-01-2010

Hi,

Just to confirm this is now working

static (inside,outside) 143.102.89.10 access-list KG_NAT

access-list KG_NAT extended permit ip host 192.168.1.154 172.24.0.0 255.252.0.0

My last remaining question which I'm scratching my head over is how I achieve the following.

The above statement will work fine for example for a Print Server located in UK, which require static address. How do I combine this with a NAT Pool, to permit all other users (SSH Putty sessions) to establish a session via NAT pool?

Any advice would be really appreciated again!

Kevin

Jennifer Halim · ‎04-01-2010

You can configure NAT/Global pair for the remainder of the users.

For example:

You can use the ACL originally configured:

access-list policy-nat-dallas extended permit ip 192.168.1.0 255.255.255.0 172.24.0.0 255.252.0.0
nat (inside) 1 access-list policy-nat-dallas

global (outside) 1 143.102.89.x

The static statement that you have configured earlier will take precedence over the above. So the printer gets statically NATed to 143.102.89.10, and the rest can get PATed to another ip address 143.102.89.x.

Please be advised that for PAT, the traffic can only be initiated from 192.168.1.0/24 LAN towards 172.24.0.0/14, not the other way.

Hope that helps.

kgreenway · ‎04-02-2010

Thank you very much..

Extremely helpful, all seems to be working just fine.

Going to switch the routes today and test so fingers crossed!