Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1572
Views
8
Helpful
12
Replies

vpn with nat on pix firewall

Go to solution
abdul basit
Level 1
Level 1

‎12-27-2012 01:19 AM

hi friends. i established a vpn between dynamic ip router and static ip pix. i am simulating the scenario of my university network in GNS3.  i want the traffic received by pix firewall through vpn tunnel go to the internet to a specific server through its public static ip which is registered with ieee. my vpn is working but i cant ping that server which i want to be access through the public ip of pix. i know there is a problem is nating on the pix firewall but i can't sort it, please anyone help me with it.

router results are

R2#show crypto isakmp sa

dst             src             state          conn-id slot status

172.0.1.2       172.0.0.2       QM_IDLE              1    0 ACTIVE

pix firewall results are.

ix1# show crypto isakmp sa

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 172.0.0.2

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

access-list no-nat extended permit ip any any

access-list vpn extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (outside) 0 access-list vpn

nat (inside) 1 0.0.0.0 0.0.0.0

access-group no-nat in interface outside

route outside 0.0.0.0 0.0.0.0 172.0.1.1 1

pix1# show nat outside

  match ip outside 172.16.0.0 255.255.0.0 outside 192.168.1.0 255.255.255.0

    NAT exempt

    translate_hits = 0, untranslate_hits = 9

i want to access 172.16.0.0 through the public ip of pix firewall in this simulation.

the topolgy is shown below

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Andrew Phirsov
Level 7
Level 7
In response to abdul basit

‎12-27-2012 05:55 AM

Plus, nat 0 should be applied to the inside interface:

nat (inside) 0 access-list vpn

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Andrew Phirsov
Level 7
Level 7

‎12-27-2012 05:50 AM

what about "same-security-traffic permit intra-interface" ?

Go to solution
abdul basit
Level 1
Level 1
In response to Andrew Phirsov

‎12-27-2012 05:52 AM

hey andrew thanks for reply.. please can you explain this to me..

0 Helpful

Go to solution
abdul basit
Level 1
Level 1
In response to Andrew Phirsov

‎12-27-2012 09:55 AM

Thank you so much.. this command work and i successfully ping

0 Helpful

Go to solution
abdul basit
Level 1
Level 1

‎12-27-2012 05:50 AM

please some one reply to me, i am just ccna ..

0 Helpful

Go to solution
Andrew Phirsov
Level 7
Level 7
In response to abdul basit

‎12-27-2012 05:55 AM

Plus, nat 0 should be applied to the inside interface:

nat (inside) 0 access-list vpn

0 Helpful

Go to solution
abdul basit
Level 1
Level 1
In response to Andrew Phirsov

‎12-27-2012 06:00 AM

why should i include this comand ? i dont want my traffic to go inside network. ? please tell me i am completely new in firewalls and security world

0 Helpful

Go to solution
Andrew Phirsov
Level 7
Level 7
In response to abdul basit

‎12-27-2012 05:56 AM

for traffic to be able to go back and forth on the same interface you need the global config command: same-security-traffic permit intra-interface. Plus what i said about nat.

0 Helpful

Go to solution
Andrew Phirsov
Level 7
Level 7
In response to Andrew Phirsov

‎12-27-2012 06:07 AM

And, though it's not related to what you asked about, i don't think you need this:

access-group no-nat in interface outside,

because vpn traffic between your sites alloweb without any acl on the outside interface, if you've got sysopt connection permit vpn enabled

0 Helpful

Go to solution
abdul basit
Level 1
Level 1
In response to Andrew Phirsov

‎12-27-2012 06:35 AM

yeah andrew you are right about the access-list, the nat comand you mentioned, why should i need this because when the pix receive vpn traffic and decapsulate it, it will see the 172.16.0.0 as destination network for which there is a default route in it. what i think is pix should forward the packet to default route and nat it with its public ip. what you say about this ?

0 Helpful

Go to solution
Andrew Phirsov
Level 7
Level 7
In response to abdul basit

‎12-27-2012 10:13 AM

I'm glad you got it working. Didn't get what exactly you want to hear about your last post))) What i meant to say is that you don't need that ACL. You're thinking correctly about decapsulation, nat, routing and all that in what you wrote.

0 Helpful

Go to solution
Hardik Vaidh
Level 1
Level 1

‎01-01-2013 10:56 AM

check it

write ip nat inside in your privet interface and ip nat out side in your public interface

then after modify NAT access list

you  have to deny

access-list no-nat extended 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0

if you deny then only your packets travel via tunnel

Go to solution
abdul basit
Level 1
Level 1
In response to Hardik Vaidh

‎01-01-2013 10:40 PM

Thanks Hardik for your reply.. i have already configure it for my university and its working successfully.

if you have any idea about remote access i would be happy to know about it. To the same pix firewall staff members and researchers will make vpn tunnel from remote sites to access ieee material through the pix firewall ip so i dont know either ssl web vpn will work or not or i should configure pix as easy vpn server. i didnt start studying remote access yet but it will help me if you mention me at the start to focus on one thing.

0 Helpful
Customers Also Viewed These Support Documents