cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
465
Views
0
Helpful
6
Replies

VPN with PAT address

funraps
Level 1
Level 1

Hello everyone,

I'm probably a little off, tired, working on too many things and I need a fresh pair of eyes...

The VPN tunnel in the config below establishes but I think my access lists are messed up.

The vendor see's my INTERNAL IP range instead of the PAT ip I've setup.

Please take a look and let me know how badly I'm messing up.. Thanks!

name <vendor_range>.97 vendor_VPN

name <vendor_range>.110 vendor_FTP

name <vendor_range>.109 vendor_HTTP

object-group service vendor tcp

description vendor Firewall Rules

access-list l2l_vendor_traffic permit ip host <external PAT IP> host vendor_HTTP

access-list l2l_vendor_traffic permit ip host <external PAT IP> host vendor_FTP

access-list vendor_VPN_ACL permit ip Internal_IP_Network 255.255.0.0 host vendor_HTTP

access-list vendor_VPN_ACL permit ip Internal_IP_Network 255.255.0.0 host vendor_FTP

global (outside) 51 <external PAT IP>

nat (inside) 51 access-list l2l_vendor_traffic 0 0

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-sha-hmac

crypto map mymap 30 ipsec-isakmp

crypto map mymap 30 match address vendor_VPN_ACL

crypto map mymap 30 set pfs group2

crypto map mymap 30 set peer vendor_VPN

crypto map mymap 30 set transform-set ESP-3DES-MD5

crypto map mymap interface outside

isakmp enable outside

isakmp key <key> address vendor_VPN netmask 255.255.255.255

isakmp identity address

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

6 Replies 6

gfullage
Cisco Employee
Cisco Employee

I assume from this you're trying to PAT your internal hosts BEFORE they go over the tunnel, so that the other end sees only the PAT address, is that correct?

If that's the case then you're referencing your access-lists around the wrong way. You should have the following:

nat (inside) 51 access-list vendor_VPN_ACL 0 0

crypto map mymap 30 match address l2l_vendor_traffic

Remember that NAT happens BEFORE encryption, so the NAT statement has to reference the original traffic (vendor_VPN_ACL), and the crypto access-list has to then latch the already-NAT'd traffic (l2l_vendor_traffic).

Make sure the other end's crypto access-list references the NAT'd traffic as it's ACL though, otherwise the tunnel won't even come up now. Oh, and since you've changed the crypto map, remove/re-add the crypto map off the outside interface to bring the changes into effect.

I reversed it and it still doesn't work, it does NOT PAT, the other end sees my internal IP's instead of the PAT.

frustrating....

Note, the tunnel only came up when I added the last access-list statement

access-list l2l_vendor_traffic line 1 permit ip host host vendor_HTTP (hitcnt=0)

access-list l2l_vendor_traffic line 2 permit ip host host vendor_FTP (hitcnt=0)

access-list l2l_vendor_traffic line 3 permit ip InternalNetwork 255.255.0.0 host vendor_HTTP (hitcnt=5)

access-list vendor_VPN_ACL line 1 permit ip InternalNetwork 255.255.0.0 host vendor_HTTP (hitcnt=3)

access-list vendor_VPN_ACL line 2 permit ip InternalNetwork 255.255.0.0 host vendor_FTP (hitcnt=0)

access-list vendor_VPN_ACL line 3 permit ip host host vendor_HTTP (hitcnt=0)

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

crypto map mymap 30 ipsec-isakmp

crypto map mymap 30 match address l2l_vendor_traffic

crypto map mymap 30 set pfs group2

crypto map mymap 30 set peer vendor_VPN

crypto map mymap 30 set transform-set ESP-3DES-MD5

global (outside) 51

nat (inside) 51 access-list vendor_VPN_ACL 0 0

mklaphek
Level 1
Level 1

I think your access-list is a little off. Try the following:

access-list l2l_vendor_traffic permit ip host host vendor_HTTP. Your inside hosts will never match to this address if it's an outside address (you can check by issuing a "show access-list" command).

Thanks, I already tried that, but the problem is that the tunnel does get setup but does not get PATed, which exposes my internal IP range...

Any other recommendations are appreciated.

Sorry, I misunderstood what you were trying to do. According to Cisco TAC, you can't NAT/PAT the inside when doing IPSec for the tunnel. I tried this once and it didn't work, so I opened a case with TAC and this is what they told me. If you find out different, please let me know.

Hi there.

I am actually doing the Exact same thing on a different pix, i.e PAT and it's working just fine.

HOWEVER, the difference being that the PAT address on the working PIX is a private, vendor specified IP and this is a public IP....

Anyone????