Using NAT/VPN on PIX (Peer/Host External Addresses)

Secure Home | Search | About

Lost Password?

Networking Firewalls

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Subject	Author	Date
Using NAT/VPN on PIX (Peer/Host External Addresses)	Ryan Casey	02-21-2005

Posted by Ryan Casey on February 21, 2005, 1:20 pm

If you were Registered and logged in, you could reply and use other advanced thread options

NOTE: All addresses in the below configuration are external addresses.
The VPN should be established using only these external addresses,
_no_ internal network addresses.

We are trying to configure a PIX firewall. The other end is at another
company that allows many VPN's so they require two routeable (external)
IP addresses, no internals allowed.

We successfully set up a VPN with the PIX and a forward router. However,
we are load balancing routers and would like to the entire VPN on the PIX.

Below is a sketch (fake IPs, use fixed width font) of how we would like it to be.

------------------------------ --------------------- ------------------
-----------------
| Internal Network 172.1.1.x | | PIX 67.2.2.222 | | External Peer |
| External Host |
| | --> | NAT to 67.2.2.2 | | |
| |
| | | Crypt | --> | 157.3.3.3 |
--> | 160.4.4.4 |
------------------------------ --------------------- ------------------
-----------------

If we have a router outside the PIX, we work fine. But trying to do it all on
the PIX fails

We had thought that it would go:
From: 172.1.1.100
To: 160.4.4.4

NAT Translated to
From: 67.2.2.2
To: 160.4.4.4

Tunnel Set Up from PIX (67.2.2.222) to Remote Peer (157.3.3.3)

Encrypt Packet

Send Packet

Decrypted on 157.3.3.3
From: 67.2.2.2
To: 160.4.4.4

Packet forwarded to 160.4.4.4 (NAT translated to remote internal if need be)

Return packets should come back in reverse, being decrypted on the PIX and then
NATted back
to the internal network.

This is not what is happening. We have other VPNs using internal local and
remote addresses,
and it is not failing. If we monitor the interface, we start seeing a Send
Error for each
packet that is attempted to be sent, and there is no tunnel ever established.

What are we missing here? Attached at bottom is relevant config (I think),
converted to the
above ips.

Thank you!
Ryan Casey

-------------

PIX Version 6.3(3)
access-list MYNAT permit ip 172.1.1.0 255.255.255.0 host 160.4.4.4
access-list MYCrypto permit ip host 67.2.2.2 host 160.4.4.4

global (outside) 2 67.2.2.2

nat (inside) 2 access-list MYNAT 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map vpnmap 50 ipsec-isakmp
crypto map vpnmap 50 match address MYCrypto
crypto map vpnmap 50 set peer 157.3.3.3
crypto map vpnmap 50 set transform-set myset

isakmp key ******** address 157.3.3.3 netmask 255.255.255.255

isakmp nat-traversal 20
: end

Similar Threads	Posted
PIX VPN using the external IP addresses	September 6, 2005, 5:35 pm
Can't change my internal and external ip addresses	January 13, 2006, 7:42 am
Cannot assign an external or internal ip addresses to Network Objects table	February 3, 2008, 2:35 am
where is my external dns ?	June 11, 2006, 7:55 am
SSL and web link url addresses	September 16, 2007, 2:12 pm
Forward to external ip	March 10, 2006, 7:05 am
Firewall and Multiple IP Addresses	June 21, 2005, 4:21 pm
Secondary addresses and the Netscreen-100	September 19, 2006, 3:57 pm
Restrict access to US ip addresses only	May 14, 2007, 2:28 pm
Question on internal/external IPs	December 10, 2004, 2:18 pm

The site map in XML format XML site map