[fw-wiz] Cisco PIX506 problem minxing VPN and NAT
From: Michael J. Tubby B.Sc. (Hons) G8TIC (mike.tubby_at_thorcom.co.uk)
Date: 10/06/03
- Previous message: Christopher Hicks: "Re: [fw-wiz] Personal Firewall Day?"
- Next in thread: Hart, Kevin: "RE: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT"
- Maybe reply: Hart, Kevin: "RE: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT"
- Reply: Wes Noonan: "RE: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT"
- Maybe reply: Hart, Kevin: "RE: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <firewall-wizards@honor.icsalabs.com> Date: Mon, 6 Oct 2003 17:58:25 +0100
Hi,
I've been working with IP and Cisco routers for many years, but
am now somewhat stuck on a problem involving IPSEC VPN
tunnels mixed with NAT on a Cisco PIX506E box (firmware 6.2)
- I'm pretty new to PIX firewalls.
A simplified network diagram can be found at:
http://www.tubby.org/cisco/networking/vpn_config.pdf
where "our site" is local to me and "customer site" is the far end - I
am not responsible for the equipment at the customer site.
We have a number of hosts that are on an "inside" LAN segment
(192.168.10.0/24) for which I need to arrange two things to occur:
a) they must travel across a 3DES VPN tunnel and land on a Cisco
3640 at the far end (customer site) and reach other machines on
10.0.0.0/24 there
b) they must appear with "real" IP addresses via NAT from our
internet connection, and there must be a static mapping between
the public IP address and the internal IP address, for example:
193.82.116.240 => 192.168.10.240
193.82.116.241 => 192.168.10.241
nb. the machines on the "inside" have only the 192.168.10.xxx form
of address; the PIX506E must NAT each one in and outbound to
the public internet equivalent 193.82.116.xxx address.
At our site we have a Cisco 2621 with IP/FW/IDS which is "locked
down" fairly tightly (port by port ACLs etc.) After some considerable
fiddling about to open ISAKMP (udp/500) and ESP I've got the
IPSEC bit working and get the security association etc. all set up between
the PIX506E and the Customer's 3640 and I can see packets leaving
correctly when I ping 10.0.0.xx addresses.
However, there appears to be a problem that the packets that come
back in from the VPN tunnel, eg. ICMP Echo Reply, these are addressed
to the 192.168.10.xxx host when leaving the remote machine making the
reply but appear to get caught up in the NAT that I've configured for
requirement (b) above - so the PIX appears to NAT the reply packets
back to 193.82.116.xxx packets when it should have just dropped them
in the "inside" interface.
Clearly something isn't right but I'm struggling to find details on the way
in which VPN and NAT interact inside PIX firewalls.
Any help/ideas would be greatly appreciated.
Mike Tubby
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Christopher Hicks: "Re: [fw-wiz] Personal Firewall Day?"
- Next in thread: Hart, Kevin: "RE: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT"
- Maybe reply: Hart, Kevin: "RE: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT"
- Reply: Wes Noonan: "RE: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT"
- Maybe reply: Hart, Kevin: "RE: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
