Re: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT

From: Michael J. Tubby B.Sc. (Hons) G8TIC (mike.tubby_at_thorcom.co.uk)
Date: 10/10/03

  • Next message: Wes Noonan: "RE: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT"
    To: <mailinglists@wjnconsulting.com>, <firewall-wizards@honor.icsalabs.com>, <KHart@helixtechnology.com>, <Ken@kccweb.com>
    Date: Fri, 10 Oct 2003 17:42:28 +0100
    
    

    Wes,

    I'm a command line person... always have been... always will be.

    The problem of havbing two different ACLs with the same entries
    sounds like a limitation of the application software rather than anything
    in the PIX per se... assuming that PIXes work like IOS boxes, as
    I have many a 2621/3640 with the same ACLs applied to many
    interfaces...

    Mike

    One caveat that you will find is that if you use the PDM it doesn't support
    using the same ACL for multiple uses. So for me I typically create a
    "nonat01" ACL and than a "VPN01" acl that is the same. If you don't use the
    PDM it doesn't matter and functionally it doesn't seem to break anything to
    use a single ACL though. Maybe someone from Cisco can chime in on the issue?

    Glad it worked for you.

    Wes

    > -----Original Message-----
    > From: Michael J. Tubby B.Sc. (Hons) G8TIC
    > [mailto:mike.tubby@thorcom.co.uk]
    > Sent: Friday, October 10, 2003 03:25
    > To: mailinglists@wjnconsulting.com; firewall-wizards@honor.icsalabs.com;
    > KHart@helixtechnology.com; Ken@kccweb.com
    > Subject: Re: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT
    >
    > Gents,
    >
    > Thanks to Wes, Kevin, Ken and everyone else who came up with
    > the same answer. The the:
    >
    > nat (inside) 0 access-list 101
    >
    > command fixed it fine (I'm also using access list 101 to define the
    > interesting traffic to go down the VPN).
    >
    > Regards
    >
    > Mike
    >
    >
    >
    > ----- Original Message -----
    > From: "Wes Noonan" <mailinglists@wjnconsulting.com>
    > To: "'Michael J. Tubby B.Sc. (Hons) G8TIC'" <mike.tubby@thorcom.co.uk>;
    > <firewall-wizards@honor.icsalabs.com>
    > Sent: Monday, October 06, 2003 6:45 PM
    > Subject: RE: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT
    >
    >
    > Without seeing your config file I would recommend looking at the following
    > options:
    >
    > 1) Use the PDM to configure the VPN until you get more comfortable with
    > the
    > commands required
    > 2) Look into the "nat (inside) 0" command.
    > 3)
    > http://www.cisco.com/pcgi-
    > bin/Support/browse/psp_view.pl?p=Hardware:PIX&s=So
    > ftware_Configuration check out the multitude of VPN configuration
    > examples.
    >
    > Thanks.
    >
    > Wes
    >
    > > -----Original Message-----
    > > From: firewall-wizards-admin@honor.icsalabs.com [mailto:firewall-
    > wizards-
    > > admin@honor.icsalabs.com] On Behalf Of Michael J. Tubby B.Sc. (Hons)
    > G8TIC
    > > Sent: Monday, October 06, 2003 11:58
    > > To: firewall-wizards@honor.icsalabs.com
    > > Subject: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT
    > >
    > > Hi,
    > >
    > > I've been working with IP and Cisco routers for many years, but
    > > am now somewhat stuck on a problem involving IPSEC VPN
    > > tunnels mixed with NAT on a Cisco PIX506E box (firmware 6.2)
    > > - I'm pretty new to PIX firewalls.
    > >
    > > A simplified network diagram can be found at:
    > >
    > > http://www.tubby.org/cisco/networking/vpn_config.pdf
    > >
    > > where "our site" is local to me and "customer site" is the far end - I
    > > am not responsible for the equipment at the customer site.
    > >
    > > We have a number of hosts that are on an "inside" LAN segment
    > > (192.168.10.0/24) for which I need to arrange two things to occur:
    > >
    > > a) they must travel across a 3DES VPN tunnel and land on a Cisco
    > > 3640 at the far end (customer site) and reach other machines on
    > > 10.0.0.0/24 there
    > >
    > > b) they must appear with "real" IP addresses via NAT from our
    > > internet connection, and there must be a static mapping between
    > > the public IP address and the internal IP address, for example:
    > >
    > > 193.82.116.240 => 192.168.10.240
    > > 193.82.116.241 => 192.168.10.241
    > >
    > > nb. the machines on the "inside" have only the 192.168.10.xxx form
    > > of address; the PIX506E must NAT each one in and outbound to
    > > the public internet equivalent 193.82.116.xxx address.
    > >
    > > At our site we have a Cisco 2621 with IP/FW/IDS which is "locked
    > > down" fairly tightly (port by port ACLs etc.) After some considerable
    > > fiddling about to open ISAKMP (udp/500) and ESP I've got the
    > > IPSEC bit working and get the security association etc. all set up
    > between
    > > the PIX506E and the Customer's 3640 and I can see packets leaving
    > > correctly when I ping 10.0.0.xx addresses.
    > >
    > > However, there appears to be a problem that the packets that come
    > > back in from the VPN tunnel, eg. ICMP Echo Reply, these are addressed
    > > to the 192.168.10.xxx host when leaving the remote machine making the
    > > reply but appear to get caught up in the NAT that I've configured for
    > > requirement (b) above - so the PIX appears to NAT the reply packets
    > > back to 193.82.116.xxx packets when it should have just dropped them
    > > in the "inside" interface.
    > >
    > > Clearly something isn't right but I'm struggling to find details on the
    > > way
    > > in which VPN and NAT interact inside PIX firewalls.
    > >
    > > Any help/ideas would be greatly appreciated.
    > >
    > >
    > > Mike Tubby
    > >
    > > _______________________________________________
    > > firewall-wizards mailing list
    > > firewall-wizards@honor.icsalabs.com
    > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Wes Noonan: "RE: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT"

    Relevant Pages

    • RE: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT
      ... One caveat that you will find is that if you use the PDM it doesn't support ... "nonat01" ACL and than a "VPN01" acl that is the same. ... > interesting traffic to go down the VPN). ... > Without seeing your config file I would recommend looking at the following ...
      (Firewall-Wizards)
    • sysopt permit-ipsec
      ... Everything went okay and the VPN works fine. ... As my config had 'sysopt connection permit-ipsec' I presumed that I could ... the 'deny all' acl on the inside interface. ...
      (comp.dcom.sys.cisco)
    • Re: Why does my 506 keeps deny vpn-connections.
      ... According to the log is because the ACL ... That line would allow the VPN clients to send icmp. ... you need to use 'interface' followed by the interface name. ... And notice you overlapped the dhcp pool with the vpn address pool. ...
      (comp.dcom.sys.cisco)
    • Re: [fw-wiz] VPN NAT issue
      ... an acl is needed for vpn traffic. ... If you allow the vpn pool ips in from the outside how would the ... would be IN2 int to OUT and for nat0 apply it to IN2 where the rules ...
      (Firewall-Wizards)
    • Re: ASA 5520 VPN client cannot ping inside network
      ... access-list nonat extended permit ip 172.16.4.0 255.255.252.0 ... So you are using the ACL called nonat for your NAT exclusion for your ... access your VPN clients, but you have yet to define an ACL allowing ... interface GigabitEthernet0/1 ...
      (comp.dcom.sys.cisco)