12-27-2012 01:19 AM
hi friends. i established a vpn between dynamic ip router and static ip pix. i am simulating the scenario of my university network in GNS3. i want the traffic received by pix firewall through vpn tunnel go to the internet to a specific server through its public static ip which is registered with ieee. my vpn is working but i cant ping that server which i want to be access through the public ip of pix. i know there is a problem is nating on the pix firewall but i can't sort it, please anyone help me with it.
router results are
R2#show crypto isakmp sa
dst src state conn-id slot status
172.0.1.2 172.0.0.2 QM_IDLE 1 0 ACTIVE
pix firewall results are.
ix1# show crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 172.0.0.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
access-list no-nat extended permit ip any any
access-list vpn extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 0 access-list vpn
nat (inside) 1 0.0.0.0 0.0.0.0
access-group no-nat in interface outside
route outside 0.0.0.0 0.0.0.0 172.0.1.1 1
pix1# show nat outside
match ip outside 172.16.0.0 255.255.0.0 outside 192.168.1.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 9
i want to access 172.16.0.0 through the public ip of pix firewall in this simulation.
the topolgy is shown below
Solved! Go to Solution.
12-27-2012 05:55 AM
Plus, nat 0 should be applied to the inside interface:
nat (inside) 0 access-list vpn
12-27-2012 05:50 AM
what about "same-security-traffic permit intra-interface" ?
12-27-2012 05:52 AM
hey andrew thanks for reply.. please can you explain this to me..
12-27-2012 09:55 AM
Thank you so much.. this command work and i successfully ping
12-27-2012 05:50 AM
please some one reply to me, i am just ccna ..
12-27-2012 05:55 AM
Plus, nat 0 should be applied to the inside interface:
nat (inside) 0 access-list vpn
12-27-2012 06:00 AM
why should i include this comand ? i dont want my traffic to go inside network. ? please tell me i am completely new in firewalls and security world
12-27-2012 05:56 AM
for traffic to be able to go back and forth on the same interface you need the global config command: same-security-traffic permit intra-interface. Plus what i said about nat.
12-27-2012 06:07 AM
And, though it's not related to what you asked about, i don't think you need this:
access-group no-nat in interface outside,
because vpn traffic between your sites alloweb without any acl on the outside interface, if you've got sysopt connection permit vpn enabled
12-27-2012 06:35 AM
yeah andrew you are right about the access-list, the nat comand you mentioned, why should i need this because when the pix receive vpn traffic and decapsulate it, it will see the 172.16.0.0 as destination network for which there is a default route in it. what i think is pix should forward the packet to default route and nat it with its public ip. what you say about this ?
12-27-2012 10:13 AM
I'm glad you got it working. Didn't get what exactly you want to hear about your last post))) What i meant to say is that you don't need that ACL. You're thinking correctly about decapsulation, nat, routing and all that in what you wrote.
01-01-2013 10:56 AM
check it
write ip nat inside in your privet interface and ip nat out side in your public interface
then after modify NAT access list
you have to deny
access-list no-nat extended 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
if you deny then only your packets travel via tunnel
01-01-2013 10:40 PM
Thanks Hardik for your reply.. i have already configure it for my university and its working successfully.
if you have any idea about remote access i would be happy to know about it. To the same pix firewall staff members and researchers will make vpn tunnel from remote sites to access ieee material through the pix firewall ip so i dont know either ssl web vpn will work or not or i should configure pix as easy vpn server. i didnt start studying remote access yet but it will help me if you mention me at the start to focus on one thing.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide