[fw-wiz] Cisco PIX to FW-1 VPN with policy NAT help request

From: Kari Mattsson (km#) (km1_at_trivore.com)
Date: 12/01/03

  • Next message: Robert L. Wanamaker: "[fw-wiz] OT: Sniffers"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Mon, 1 Dec 2003 18:37:43 +0200 (EET)
    
    

    Hi!

    I have a slight problem :-) It is propably an easy one for you..

    I can get the VPN tunnel up ok, but ping/telnet/etc. isn't going through.
    On the FW-1 end they claim traffic is coming is from 10.1.1.0/24 network,
    which is not allowed. That is also why my pings are not answered.

    I'm trying to PAT all the traffic to IP 133.15.75.35.

    Any hints why I'm not succeeding?

    Here are some of the fragments of my configuration.
    Public IPs are imaginary.

    access-list acl2 permit icmp 10.1.1.0 255.255.255.0 any
    access-list acl2 permit ip 10.1.1.0 255.255.255.0 any
    access-group inside_acl in interface inside

    access-list acl3 permit icmp 10.1.1.0 255.255.255.0 host 192.189.32.128
    access-list acl3 permit ip 10.1.1.0 255.255.255.0 host 192.189.32.128
    global (outside) 99 133.15.75.36-133.15.75.59 netmask 255.255.255.224
    global (outside) 99 133.15.75.60 netmask 255.255.255.224
    global (outside) 11 133.15.75.35 netmask 255.255.255.224
    nat (inside) 0 access-list no_nat
    nat (inside) 11 access-list acl3 0 0
    nat (inside) 99 10.1.1.0 255.255.255.0 0 0

    crypto map map7 10 ipsec-isakmp
    crypto map map7 10 match address acl3
    crypto map map7 10 set peer 223.10.2.8
    crypto map map7 10 set transform-set 3des-md5
    crypto map map7 10 set security-association lifetime seconds 86400
    isakmp key ******** address 223.10.2.8 netmask 255.255.255.255 no-xauth

    //km1@trivore.com

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Robert L. Wanamaker: "[fw-wiz] OT: Sniffers"