05-17-2005 10:15 AM - edited 02-21-2020 01:46 PM
Hello everyone,
I'm probably a little off, tired, working on too many things and I need a fresh pair of eyes...
The VPN tunnel in the config below establishes but I think my access lists are messed up.
The vendor see's my INTERNAL IP range instead of the PAT ip I've setup.
Please take a look and let me know how badly I'm messing up.. Thanks!
name <vendor_range>.97 vendor_VPN
name <vendor_range>.110 vendor_FTP
name <vendor_range>.109 vendor_HTTP
object-group service vendor tcp
description vendor Firewall Rules
access-list l2l_vendor_traffic permit ip host <external PAT IP> host vendor_HTTP
access-list l2l_vendor_traffic permit ip host <external PAT IP> host vendor_FTP
access-list vendor_VPN_ACL permit ip Internal_IP_Network 255.255.0.0 host vendor_HTTP
access-list vendor_VPN_ACL permit ip Internal_IP_Network 255.255.0.0 host vendor_FTP
global (outside) 51 <external PAT IP>
nat (inside) 51 access-list l2l_vendor_traffic 0 0
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-sha-hmac
crypto map mymap 30 ipsec-isakmp
crypto map mymap 30 match address vendor_VPN_ACL
crypto map mymap 30 set pfs group2
crypto map mymap 30 set peer vendor_VPN
crypto map mymap 30 set transform-set ESP-3DES-MD5
crypto map mymap interface outside
isakmp enable outside
isakmp key <key> address vendor_VPN netmask 255.255.255.255
isakmp identity address
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
05-17-2005 05:54 PM
I assume from this you're trying to PAT your internal hosts BEFORE they go over the tunnel, so that the other end sees only the PAT address, is that correct?
If that's the case then you're referencing your access-lists around the wrong way. You should have the following:
nat (inside) 51 access-list vendor_VPN_ACL 0 0
crypto map mymap 30 match address l2l_vendor_traffic
Remember that NAT happens BEFORE encryption, so the NAT statement has to reference the original traffic (vendor_VPN_ACL), and the crypto access-list has to then latch the already-NAT'd traffic (l2l_vendor_traffic).
Make sure the other end's crypto access-list references the NAT'd traffic as it's ACL though, otherwise the tunnel won't even come up now. Oh, and since you've changed the crypto map, remove/re-add the crypto map off the outside interface to bring the changes into effect.
05-18-2005 08:33 AM
I reversed it and it still doesn't work, it does NOT PAT, the other end sees my internal IP's instead of the PAT.
frustrating....
Note, the tunnel only came up when I added the last access-list statement
access-list l2l_vendor_traffic line 1 permit ip host
access-list l2l_vendor_traffic line 2 permit ip host
access-list l2l_vendor_traffic line 3 permit ip InternalNetwork 255.255.0.0 host vendor_HTTP (hitcnt=5)
access-list vendor_VPN_ACL line 1 permit ip InternalNetwork 255.255.0.0 host vendor_HTTP (hitcnt=3)
access-list vendor_VPN_ACL line 2 permit ip InternalNetwork 255.255.0.0 host vendor_FTP (hitcnt=0)
access-list vendor_VPN_ACL line 3 permit ip host
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
crypto map mymap 30 ipsec-isakmp
crypto map mymap 30 match address l2l_vendor_traffic
crypto map mymap 30 set pfs group2
crypto map mymap 30 set peer vendor_VPN
crypto map mymap 30 set transform-set ESP-3DES-MD5
global (outside) 51
nat (inside) 51 access-list vendor_VPN_ACL 0 0
05-19-2005 01:06 PM
I think your access-list is a little off. Try the following:
access-list l2l_vendor_traffic permit ip host
05-20-2005 12:04 PM
Thanks, I already tried that, but the problem is that the tunnel does get setup but does not get PATed, which exposes my internal IP range...
Any other recommendations are appreciated.
05-20-2005 05:33 PM
Sorry, I misunderstood what you were trying to do. According to Cisco TAC, you can't NAT/PAT the inside when doing IPSec for the tunnel. I tried this once and it didn't work, so I opened a case with TAC and this is what they told me. If you find out different, please let me know.
05-23-2005 06:31 AM
Hi there.
I am actually doing the Exact same thing on a different pix, i.e PAT and it's working just fine.
HOWEVER, the difference being that the PAT address on the working PIX is a private, vendor specified IP and this is a public IP....
Anyone????
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide