RE: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT

From: Hart, Kevin (KHart_at_helixtechnology.com)
Date: 10/06/03

  • Next message: Wes Noonan: "RE: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT"
    To: "'Michael J. Tubby B.Sc. (Hons) G8TIC'" <mike.tubby@thorcom.co.uk>, firewall-wizards@honor.icsalabs.com
    Date: Mon, 6 Oct 2003 13:35:00 -0400
    
    

    Do you have a nat 0 statement and ACL so that the VPN traffic isn't
    translated? Something like...

    access-list 101 permit ip 192.168.10.0 255.255.255.0 10.0.0.0 255.255.255.0
    nat (inside) 0 access-list 101

    Kevin

    -----Original Message-----
    From: Michael J. Tubby B.Sc. (Hons) G8TIC
    [mailto:mike.tubby@thorcom.co.uk]
    Sent: Monday, October 06, 2003 12:58 PM
    To: firewall-wizards@honor.icsalabs.com
    Subject: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT

    Hi,

    I've been working with IP and Cisco routers for many years, but
    am now somewhat stuck on a problem involving IPSEC VPN
    tunnels mixed with NAT on a Cisco PIX506E box (firmware 6.2)
    - I'm pretty new to PIX firewalls.

    A simplified network diagram can be found at:

            http://www.tubby.org/cisco/networking/vpn_config.pdf

    where "our site" is local to me and "customer site" is the far end - I
    am not responsible for the equipment at the customer site.

    We have a number of hosts that are on an "inside" LAN segment
    (192.168.10.0/24) for which I need to arrange two things to occur:

    a) they must travel across a 3DES VPN tunnel and land on a Cisco
       3640 at the far end (customer site) and reach other machines on
       10.0.0.0/24 there

    b) they must appear with "real" IP addresses via NAT from our
       internet connection, and there must be a static mapping between
       the public IP address and the internal IP address, for example:

                193.82.116.240 => 192.168.10.240
                193.82.116.241 => 192.168.10.241

       nb. the machines on the "inside" have only the 192.168.10.xxx form
       of address; the PIX506E must NAT each one in and outbound to
       the public internet equivalent 193.82.116.xxx address.

    At our site we have a Cisco 2621 with IP/FW/IDS which is "locked
    down" fairly tightly (port by port ACLs etc.) After some considerable
    fiddling about to open ISAKMP (udp/500) and ESP I've got the
    IPSEC bit working and get the security association etc. all set up between
    the PIX506E and the Customer's 3640 and I can see packets leaving
    correctly when I ping 10.0.0.xx addresses.

    However, there appears to be a problem that the packets that come
    back in from the VPN tunnel, eg. ICMP Echo Reply, these are addressed
    to the 192.168.10.xxx host when leaving the remote machine making the
    reply but appear to get caught up in the NAT that I've configured for
    requirement (b) above - so the PIX appears to NAT the reply packets
    back to 193.82.116.xxx packets when it should have just dropped them
    in the "inside" interface.

    Clearly something isn't right but I'm struggling to find details on the way
    in which VPN and NAT interact inside PIX firewalls.

    Any help/ideas would be greatly appreciated.

    Mike Tubby

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Wes Noonan: "RE: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT"

    Relevant Pages

    • Re: IPsec + NAT + mehrere Tunnelendpunkte
      ... >> Verbindung zu ihrem Firmennetz per VPN aufbauen können. ... Cisco verwendet zum Bleistift Port 2000 dafuer. ... >> weiteren IPsec Tunnel zu einem anderen Endpunkt aufbauen möchte. ... > Dieser USR^W3Com NAT-Router bei ihm, ...
      (de.comp.security.firewall)
    • [fw-wiz] Cisco PIX506 problem minxing VPN and NAT
      ... tunnels mixed with NAT on a Cisco PIX506E box ... they must travel across a 3DES VPN tunnel and land on a Cisco ... they must appear with "real" IP addresses via NAT from our ...
      (Firewall-Wizards)
    • Re: Ethernet Device
      ... There is a difference between NAT and VPN: ... A VPN takes the local network packets and packs ... In a TCP/IP over Ethernet network the VPN tunneled ...
      (comp.arch.embedded)
    • Re: NATting both ways
      ... on my "VPN" network off a PIX 525. ... We are using ip nat inside and ip nat outside on our inside and ... creates a VPN to another router on a remote network. ... crypto map CLIENTMAP client authentication list default ...
      (comp.dcom.sys.cisco)
    • Re: Netscreen Remote, NAT and Windows 2000
      ... > is based off 192.168.0.2 and the hash that the foreign VPN box generates ... > any good VPN box it discards the packets since it can't authenticate. ... This is true for transport-mode IPSEC packets, ... > non-routable IP address NAT but that's just me. ...
      (comp.security.firewalls)