Re: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT
From: Michael J. Tubby B.Sc. (Hons) G8TIC (mike.tubby_at_thorcom.co.uk)
To: <email@example.com>, <firstname.lastname@example.org>, <KHart@helixtechnology.com>, <Ken@kccweb.com> Date: Fri, 10 Oct 2003 17:42:28 +0100
I'm a command line person... always have been... always will be.
The problem of havbing two different ACLs with the same entries
sounds like a limitation of the application software rather than anything
in the PIX per se... assuming that PIXes work like IOS boxes, as
I have many a 2621/3640 with the same ACLs applied to many
One caveat that you will find is that if you use the PDM it doesn't support
using the same ACL for multiple uses. So for me I typically create a
"nonat01" ACL and than a "VPN01" acl that is the same. If you don't use the
PDM it doesn't matter and functionally it doesn't seem to break anything to
use a single ACL though. Maybe someone from Cisco can chime in on the issue?
Glad it worked for you.
> -----Original Message-----
> From: Michael J. Tubby B.Sc. (Hons) G8TIC
> Sent: Friday, October 10, 2003 03:25
> To: email@example.com; firstname.lastname@example.org;
> KHart@helixtechnology.com; Ken@kccweb.com
> Subject: Re: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT
> Thanks to Wes, Kevin, Ken and everyone else who came up with
> the same answer. The the:
> nat (inside) 0 access-list 101
> command fixed it fine (I'm also using access list 101 to define the
> interesting traffic to go down the VPN).
> ----- Original Message -----
> From: "Wes Noonan" <email@example.com>
> To: "'Michael J. Tubby B.Sc. (Hons) G8TIC'" <firstname.lastname@example.org>;
> Sent: Monday, October 06, 2003 6:45 PM
> Subject: RE: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT
> Without seeing your config file I would recommend looking at the following
> 1) Use the PDM to configure the VPN until you get more comfortable with
> commands required
> 2) Look into the "nat (inside) 0" command.
> ftware_Configuration check out the multitude of VPN configuration
> > -----Original Message-----
> > From: email@example.com [mailto:firewall-
> > firstname.lastname@example.org] On Behalf Of Michael J. Tubby B.Sc. (Hons)
> > Sent: Monday, October 06, 2003 11:58
> > To: email@example.com
> > Subject: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT
> > Hi,
> > I've been working with IP and Cisco routers for many years, but
> > am now somewhat stuck on a problem involving IPSEC VPN
> > tunnels mixed with NAT on a Cisco PIX506E box (firmware 6.2)
> > - I'm pretty new to PIX firewalls.
> > A simplified network diagram can be found at:
> > http://www.tubby.org/cisco/networking/vpn_config.pdf
> > where "our site" is local to me and "customer site" is the far end - I
> > am not responsible for the equipment at the customer site.
> > We have a number of hosts that are on an "inside" LAN segment
> > (192.168.10.0/24) for which I need to arrange two things to occur:
> > a) they must travel across a 3DES VPN tunnel and land on a Cisco
> > 3640 at the far end (customer site) and reach other machines on
> > 10.0.0.0/24 there
> > b) they must appear with "real" IP addresses via NAT from our
> > internet connection, and there must be a static mapping between
> > the public IP address and the internal IP address, for example:
> > 188.8.131.52 => 192.168.10.240
> > 184.108.40.206 => 192.168.10.241
> > nb. the machines on the "inside" have only the 192.168.10.xxx form
> > of address; the PIX506E must NAT each one in and outbound to
> > the public internet equivalent 193.82.116.xxx address.
> > At our site we have a Cisco 2621 with IP/FW/IDS which is "locked
> > down" fairly tightly (port by port ACLs etc.) After some considerable
> > fiddling about to open ISAKMP (udp/500) and ESP I've got the
> > IPSEC bit working and get the security association etc. all set up
> > the PIX506E and the Customer's 3640 and I can see packets leaving
> > correctly when I ping 10.0.0.xx addresses.
> > However, there appears to be a problem that the packets that come
> > back in from the VPN tunnel, eg. ICMP Echo Reply, these are addressed
> > to the 192.168.10.xxx host when leaving the remote machine making the
> > reply but appear to get caught up in the NAT that I've configured for
> > requirement (b) above - so the PIX appears to NAT the reply packets
> > back to 193.82.116.xxx packets when it should have just dropped them
> > in the "inside" interface.
> > Clearly something isn't right but I'm struggling to find details on the
> > way
> > in which VPN and NAT interact inside PIX firewalls.
> > Any help/ideas would be greatly appreciated.
> > Mike Tubby
> > _______________________________________________
> > firewall-wizards mailing list
> > firstname.lastname@example.org
> > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
firewall-wizards mailing list