RE: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT

From: Hart, Kevin (
Date: 10/06/03

  • Next message: Wes Noonan: "RE: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT"
    To: "'Michael J. Tubby B.Sc. (Hons) G8TIC'" <>,
    Date: Mon, 6 Oct 2003 13:35:00 -0400

    Do you have a nat 0 statement and ACL so that the VPN traffic isn't
    translated? Something like...

    access-list 101 permit ip
    nat (inside) 0 access-list 101


    -----Original Message-----
    From: Michael J. Tubby B.Sc. (Hons) G8TIC
    Sent: Monday, October 06, 2003 12:58 PM
    Subject: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT


    I've been working with IP and Cisco routers for many years, but
    am now somewhat stuck on a problem involving IPSEC VPN
    tunnels mixed with NAT on a Cisco PIX506E box (firmware 6.2)
    - I'm pretty new to PIX firewalls.

    A simplified network diagram can be found at:


    where "our site" is local to me and "customer site" is the far end - I
    am not responsible for the equipment at the customer site.

    We have a number of hosts that are on an "inside" LAN segment
    ( for which I need to arrange two things to occur:

    a) they must travel across a 3DES VPN tunnel and land on a Cisco
       3640 at the far end (customer site) and reach other machines on there

    b) they must appear with "real" IP addresses via NAT from our
       internet connection, and there must be a static mapping between
       the public IP address and the internal IP address, for example:


       nb. the machines on the "inside" have only the form
       of address; the PIX506E must NAT each one in and outbound to
       the public internet equivalent address.

    At our site we have a Cisco 2621 with IP/FW/IDS which is "locked
    down" fairly tightly (port by port ACLs etc.) After some considerable
    fiddling about to open ISAKMP (udp/500) and ESP I've got the
    IPSEC bit working and get the security association etc. all set up between
    the PIX506E and the Customer's 3640 and I can see packets leaving
    correctly when I ping 10.0.0.xx addresses.

    However, there appears to be a problem that the packets that come
    back in from the VPN tunnel, eg. ICMP Echo Reply, these are addressed
    to the host when leaving the remote machine making the
    reply but appear to get caught up in the NAT that I've configured for
    requirement (b) above - so the PIX appears to NAT the reply packets
    back to packets when it should have just dropped them
    in the "inside" interface.

    Clearly something isn't right but I'm struggling to find details on the way
    in which VPN and NAT interact inside PIX firewalls.

    Any help/ideas would be greatly appreciated.

    Mike Tubby

    firewall-wizards mailing list
    firewall-wizards mailing list

  • Next message: Wes Noonan: "RE: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT"