Mailing List Archive

Dear Michael,

I think your debug output get nothing because the NAT happen after the IPSEC
tunnel intiation failed, mainly routing happen first then NAT, if the
outgoing interface is the outside one NAT take action, so when ur private
subnet trying to intiate traffic toward remote vpn the traffic arrived on
the PIX interface as private address, then trying to intiate the IPSEC
tunnle then it's failed because the source address doesn't found on the
interisting traffic ACL (global-vpn).

If am wrong anybody can correct me :)

Best Regards,
Mounir Mohamed


On 12/11/06, Michael G. Jung <mikej@confluenttech.com> wrote:
>
>
> I have several tunnels up and operational on a old PIX-520 running 6.3
> (4)120
>
> I want to establish a new tunnel, but I want to static xlate my inside
> address to a real world address, and have the destination host see my
> traffic as sourced from the NAT'd address.
>
> So I've build a access-list for interesting traffic for the tunnel, built
> by static and have not specified the interesting traffic in my NAT-0
> access-list that I use for other tunnels. I've turned up debug crypto
> isakmp on the pix but I don't see any initiation.
>
> My inside host on interface DMZ is 172.0.255.15 which is NAT'd to
> 216.26.153.12.
>
> So I want 172.0.255.15 to connect to the remote host 172.30.21.216presenting itself as sourced from the nat'd address
> 216.26.153.12.
>
> Here is what I think is relevent.
>
> ip address outside 216.26.153.4 255.255.255.128
> ip address dmz 172.0.255.1 255.255.255.0
>
> access-list global-vpn permit ip host 216.26.153.12 host 172.30.21.215
>
>
> static (dmz,outside) 216.26.153.12 172.0.255.15 netmask 255.255.255.255 0
> 0
>
> sysopt connection permit-ipsec
>
>
> crypto ipsec transform-set global-vpn esp-3des esp-md5-hmac
>
> crypto map outside 212 ipsec-isakmp
> crypto map outside 212 match address global-vpn
> crypto map outside 212 set peer not.my.real.ip
> crypto map outside 212 set transform-set global-vpn
>
> crypto map outside interface outside
>
> isakmp enable outside
> isakmp key ******** address not.my.real.ip netmask 255.255.255.255
> isakmp identity address
>
> isakmp policy 100 authentication pre-share
> isakmp policy 100 encryption 3des
> isakmp policy 100 hash md5
> isakmp policy 100 group 2
> isakmp policy 100 lifetime 86400
>
>
> Any ideas, am I approaching this correctly with the static and not using
> nat0 for 216.26.153.12<->172.30.21.215?
>
> Thanks for any suggestions.
>
> --mikej
> Michael Jung
>
>
>
> _______________________________________________
> cisco-bba mailing list
> cisco-bba@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba
>
>
>


--
Best Reagrds,
Mounir Mohamed

Thanks for you response.

I may be wrong but I have always understood NAT to occur BEFORE ipsec.

Thus, if you want an inside host on one end to talk with an inside host
on the remote end of a tunnel, you place your interesting traffic rules
in whatever access-list applies to your appropriate NAT-0 rule so that
the PIX knows to not process your traffic through the NAT engine before
the tunnel (IPSEC or otherwise).

It's my opinion in my case that the PIX is not finding interesting
traffic bound for 172.30.21.216 <http://172.30.21.216/> from
216.26.153.12 <http://216.26.153.12/> and this is why I am seeing no
debugging information.

I don't understand why this is occurring with how I'm attempting to
configure this scenario.

--mikej

-----Original Message-----
From: Mounir Mohamed [mailto:mounir.mohamed@gmail.com]
Sent: Monday, December 11, 2006 5:58 PM
To: Michael G. Jung
Cc: cisco-bba@puck.nether.net
Subject: Re: [cisco-bba] FW: Static NAT translation over IPSEC
tunnel - PIX 6.3


Dear Michael,

I think your debug output get nothing because the NAT happen
after the IPSEC tunnel intiation failed, mainly routing happen first
then NAT, if the outgoing interface is the outside one NAT take action,
so when ur private subnet trying to intiate traffic toward remote vpn
the traffic arrived on the PIX interface as private address, then trying
to intiate the IPSEC tunnle then it's failed because the source address
doesn't found on the interisting traffic ACL (global-vpn).

If am wrong anybody can correct me :)

Best Regards,
Mounir Mohamed


On 12/11/06, Michael G. Jung <mikej@confluenttech.com> wrote:


I have several tunnels up and operational on a old
PIX-520 running 6.3(4)120

I want to establish a new tunnel, but I want to static
xlate my inside address to a real world address, and have the
destination host see my traffic as sourced from the NAT'd address.

So I've build a access-list for interesting traffic for
the tunnel, built by static and have not specified the interesting
traffic in my NAT-0 access-list that I use for other tunnels. I've
turned up debug crypto isakmp on the pix but I don't see any
initiation.

My inside host on interface DMZ is 172.0.255.15
<http://172.0.255.15/> which is NAT'd to 216.26.153.12
<http://216.26.153.12/> .

So I want 172.0.255.15 <http://172.0.255.15/> to
connect to the remote host 172.30.21.216 <http://172.30.21.216/>
presenting itself as sourced from the nat'd address 216.26.153.12
<http://216.26.153.12/> .

Here is what I think is relevent.

ip address outside 216.26.153.4 <http://216.26.153.4/>
255.255.255.128 <http://255.255.255.128/>
ip address dmz 172.0.255.1 <http://172.0.255.1/>
255.255.255.0 <http://255.255.255.0/>

access-list global-vpn permit ip host 216.26.153.12
<http://216.26.153.12/> host 172.30.21.215 <http://172.30.21.215/>


static (dmz,outside) 216.26.153.12
<http://216.26.153.12/> 172.0.255.15 <http://172.0.255.15/> netmask
255.255.255.255 <http://255.255.255.255/> 0 0

sysopt connection permit-ipsec


crypto ipsec transform-set global-vpn esp-3des
esp-md5-hmac

crypto map outside 212 ipsec-isakmp
crypto map outside 212 match address global-vpn
crypto map outside 212 set peer not.my.real.ip
crypto map outside 212 set transform-set global-vpn

crypto map outside interface outside

isakmp enable outside
isakmp key ******** address not.my.real.ip netmask
255.255.255.255 <http://255.255.255.255/>
isakmp identity address

isakmp policy 100 authentication pre-share
isakmp policy 100 encryption 3des
isakmp policy 100 hash md5
isakmp policy 100 group 2
isakmp policy 100 lifetime 86400


Any ideas, am I approaching this correctly with the
static and not using nat0 for 216.26.153.12 <http://216.26.153.12/>
<->172.30.21.215 <http://172.30.21.215/> ?

Thanks for any suggestions.

--mikej
Michael Jung



_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba







--
Best Reagrds,
Mounir Mohamed

Dear Michael,

NO dear IPSEC happen before NAT, so the ACL matching on something wrong, the
below URL shown the NAT oder operations

Did you try to change the ACL by replace the real ip address with your
private one, i belive this will give you debug output.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Best Regards,
Mounir Mohamed


On 12/12/06, Michael G. Jung <mikej@confluenttech.com> wrote:
>
> Thanks for you response.
>
> I may be wrong but I have always understood NAT to occur BEFORE ipsec.
>
> Thus, if you want an inside host on one end to talk with an inside host on
> the remote end of a tunnel, you place your interesting traffic rules in
> whatever access-list applies to your appropriate NAT-0 rule so that the PIX
> knows to not process your traffic through the NAT engine before the tunnel
> (IPSEC or otherwise).
>
> It's my opinion in my case that the PIX is not finding interesting traffic
> bound for 172.30.21.216 from 216.26.153.12 and this is why I am seeing no
> debugging information.
>
> I don't understand why this is occurring with how I'm attempting to
> configure this scenario.
>
> --mikej
>
> -----Original Message-----
> *From:* Mounir Mohamed [mailto:mounir.mohamed@gmail.com]
> *Sent:* Monday, December 11, 2006 5:58 PM
> *To:* Michael G. Jung
> *Cc:* cisco-bba@puck.nether.net
> *Subject:* Re: [cisco-bba] FW: Static NAT translation over IPSEC tunnel -
> PIX 6.3
>
> Dear Michael,
>
> I think your debug output get nothing because the NAT happen after the
> IPSEC tunnel intiation failed, mainly routing happen first then NAT, if the
> outgoing interface is the outside one NAT take action, so when ur private
> subnet trying to intiate traffic toward remote vpn the traffic arrived on
> the PIX interface as private address, then trying to intiate the IPSEC
> tunnle then it's failed because the source address doesn't found on the
> interisting traffic ACL (global-vpn).
>
> If am wrong anybody can correct me :)
>
> Best Regards,
> Mounir Mohamed
>
>
> On 12/11/06, Michael G. Jung <mikej@confluenttech.com> wrote:
> >
> >
> > I have several tunnels up and operational on a old PIX-520 running 6.3
> > (4)120
> >
> > I want to establish a new tunnel, but I want to static xlate my inside
> > address to a real world address, and have the destination host see my
> > traffic as sourced from the NAT'd address.
> >
> > So I've build a access-list for interesting traffic for the tunnel,
> > built by static and have not specified the interesting traffic in my NAT-0
> > access-list that I use for other tunnels. I've turned up debug crypto
> > isakmp on the pix but I don't see any initiation.
> >
> > My inside host on interface DMZ is 172.0.255.15 which is NAT'd to
> > 216.26.153.12.
> >
> > So I want 172.0.255.15 to connect to the remote host 172.30.21.216presenting itself as sourced from the nat'd address
> > 216.26.153.12.
> >
> > Here is what I think is relevent.
> >
> > ip address outside 216.26.153.4 255.255.255.128
> > ip address dmz 172.0.255.1 255.255.255.0
> >
> > access-list global-vpn permit ip host 216.26.153.12 host 172.30.21.215
> >
> >
> > static (dmz,outside) 216.26.153.12 172.0.255.15 netmask 255.255.255.2550 0
> >
> > sysopt connection permit-ipsec
> >
> >
> > crypto ipsec transform-set global-vpn esp-3des esp-md5-hmac
> >
> > crypto map outside 212 ipsec-isakmp
> > crypto map outside 212 match address global-vpn
> > crypto map outside 212 set peer not.my.real.ip
> > crypto map outside 212 set transform-set global-vpn
> >
> > crypto map outside interface outside
> >
> > isakmp enable outside
> > isakmp key ******** address not.my.real.ip netmask 255.255.255.255
> > isakmp identity address
> >
> > isakmp policy 100 authentication pre-share
> > isakmp policy 100 encryption 3des
> > isakmp policy 100 hash md5
> > isakmp policy 100 group 2
> > isakmp policy 100 lifetime 86400
> >
> >
> > Any ideas, am I approaching this correctly with the static and not
> > using nat0 for 216.26.153.12 <->172.30.21.215?
> >
> > Thanks for any suggestions.
> >
> > --mikej
> > Michael Jung
> >
> >
> >
> > _______________________________________________
> > cisco-bba mailing list
> > cisco-bba@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-bba
> >
> >
> >
>
>
> --
> Best Reagrds,
> Mounir Mohamed
>
>


--
Best Reagrds,
Mounir Mohamed

Mounir Mohamed:

Thanks!

For the list and those still learning like me changing

access-list global-vpn permit ip host 216.26.153.12
<http://216.26.153.12/> host 172.30.21.215 <http://172.30.21.215/>

to

access-list global-vpn permit ip host 172.0.255.15
<http://216.26.153.12/> host 172.30.21.215 <http://172.30.21.215/>

makes the IPSEC engine see interesting traffic and I get initiation.
Solution not complete but I understand more.

Any Idea on the PIX side how I can confirm through debug that the
destination packet to 172.30.21.215 is
going through the NAT engine so I feel confident that the remote side
should see traffic sourced from
216.26.153.12 via my static xlate?

Kind regards,

--mikej

-----Original Message-----
From: Mounir Mohamed [mailto:mounir.mohamed@gmail.com]
Sent: Monday, December 11, 2006 6:21 PM
To: Michael G. Jung
Cc: cisco-bba@puck.nether.net
Subject: Re: [cisco-bba] FW: Static NAT translation over IPSEC
tunnel - PIX 6.3


Dear Michael,

NO dear IPSEC happen before NAT, so the ACL matching on
something wrong, the below URL shown the NAT oder operations

Did you try to change the ACL by replace the real ip address
with your private one, i belive this will give you debug output.


http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a
0080133ddd.shtml

Best Regards,
Mounir Mohamed


On 12/12/06, Michael G. Jung <mikej@confluenttech.com> wrote:

Thanks for you response.

I may be wrong but I have always understood NAT to occur
BEFORE ipsec.

Thus, if you want an inside host on one end to talk with
an inside host on the remote end of a tunnel, you place your interesting
traffic rules in whatever access-list applies to your appropriate NAT-0
rule so that the PIX knows to not process your traffic through the NAT
engine before the tunnel (IPSEC or otherwise).

It's my opinion in my case that the PIX is not finding
interesting traffic bound for 172.30.21.216 <http://172.30.21.216/>
from 216.26.153.12 <http://216.26.153.12/> and this is why I am seeing
no debugging information.

I don't understand why this is occurring with how I'm
attempting to configure this scenario.

--mikej


-----Original Message-----
From: Mounir Mohamed [mailto:
mounir.mohamed@gmail.com <mailto:mounir.mohamed@gmail.com> ]
Sent: Monday, December 11, 2006 5:58 PM
To: Michael G. Jung
Cc: cisco-bba@puck.nether.net
Subject: Re: [cisco-bba] FW: Static NAT
translation over IPSEC tunnel - PIX 6.3


Dear Michael,

I think your debug output get nothing because
the NAT happen after the IPSEC tunnel intiation failed, mainly routing
happen first then NAT, if the outgoing interface is the outside one NAT
take action, so when ur private subnet trying to intiate traffic toward
remote vpn the traffic arrived on the PIX interface as private address,
then trying to intiate the IPSEC tunnle then it's failed because the
source address doesn't found on the interisting traffic ACL
(global-vpn).

If am wrong anybody can correct me :)

Best Regards,
Mounir Mohamed


On 12/11/06, Michael G. Jung
<mikej@confluenttech.com > wrote:


I have several tunnels up and
operational on a old PIX-520 running 6.3(4)120

I want to establish a new tunnel, but I
want to static xlate my inside address to a real world address, and
have the destination host see my traffic as sourced from the NAT'd
address.

So I've build a access-list for
interesting traffic for the tunnel, built by static and have not
specified the interesting traffic in my NAT-0 access-list that I use for
other tunnels. I've turned up debug crypto isakmp on the pix but I
don't see any initiation.

My inside host on interface DMZ is
172.0.255.15 <http://172.0.255.15/> which is NAT'd to 216.26.153.12
<http://216.26.153.12/> .

So I want 172.0.255.15
<http://172.0.255.15/> to connect to the remote host 172.30.21.216
<http://172.30.21.216/> presenting itself as sourced from the nat'd
address 216.26.153.12 <http://216.26.153.12/> .

Here is what I think is relevent.

ip address outside 216.26.153.4
<http://216.26.153.4/> 255.255.255.128 <http://255.255.255.128/>
ip address dmz 172.0.255.1
<http://172.0.255.1/> 255.255.255.0 <http://255.255.255.0/>

access-list global-vpn permit ip host
216.26.153.12 <http://216.26.153.12/> host 172.30.21.215
<http://172.30.21.215/>


static (dmz,outside) 216.26.153.12
<http://216.26.153.12/> 172.0.255.15 <http://172.0.255.15/> netmask
255.255.255.255 <http://255.255.255.255/> 0 0

sysopt connection permit-ipsec


crypto ipsec transform-set global-vpn
esp-3des esp-md5-hmac

crypto map outside 212 ipsec-isakmp
crypto map outside 212 match address
global-vpn
crypto map outside 212 set peer
not.my.real.ip
crypto map outside 212 set transform-set
global-vpn

crypto map outside interface outside

isakmp enable outside
isakmp key ******** address
not.my.real.ip netmask 255.255.255.255 <http://255.255.255.255/>
isakmp identity address

isakmp policy 100 authentication
pre-share
isakmp policy 100 encryption 3des
isakmp policy 100 hash md5
isakmp policy 100 group 2
isakmp policy 100 lifetime 86400


Any ideas, am I approaching this
correctly with the static and not using nat0 for 216.26.153.12
<http://216.26.153.12/> <->172.30.21.215 <http://172.30.21.215/> ?

Thanks for any suggestions.

--mikej
Michael Jung




_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net

https://puck.nether.net/mailman/listinfo/cisco-bba







--
Best Reagrds,
Mounir Mohamed




--
Best Reagrds,
Mounir Mohamed

Dear Micheal,

Just keep your current ACL as it's and just change the interesting traffic
from the remote vpn sites to be like this

access-list vpn1 permit ip host 172.30.21.215 host <http://172.30.21.215/>
216.26.153.12 <http://172.30.21.215/>

Please let me know if it's working

Best Regards,
Mounir Mohamed

On 12/12/06, Michael G. Jung <mikej@confluenttech.com> wrote:
>
> Mounir Mohamed:
>
> Thanks!
>
> For the list and those still learning like me changing
>
> access-list global-vpn permit ip host 216.26.153.12 host 172.30.21.215
>
> to
>
> access-list global-vpn permit ip host 172.0.255.15 <http://216.26.153.12/>host
> 172.30.21.215
>
> makes the IPSEC engine see interesting traffic and I get initiation.
> Solution not complete but I understand more.
>
> Any Idea on the PIX side how I can confirm through debug that the
> destination packet to 172.30.21.215 is
> going through the NAT engine so I feel confident that the remote side
> should see traffic sourced from
> 216.26.153.12 via my static xlate?
>
> Kind regards,
>
> --mikej
>
> -----Original Message-----
> *From:* Mounir Mohamed [mailto:mounir.mohamed@gmail.com]
> *Sent:* Monday, December 11, 2006 6:21 PM
> *To:* Michael G. Jung
> *Cc:* cisco-bba@puck.nether.net
> *Subject:* Re: [cisco-bba] FW: Static NAT translation over IPSEC tunnel -
> PIX 6.3
>
> Dear Michael,
>
> NO dear IPSEC happen before NAT, so the ACL matching on something wrong,
> the below URL shown the NAT oder operations
>
> Did you try to change the ACL by replace the real ip address with your
> private one, i belive this will give you debug output.
>
>
> http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
>
> Best Regards,
> Mounir Mohamed
>
>
> On 12/12/06, Michael G. Jung <mikej@confluenttech.com> wrote:
> >
> > Thanks for you response.
> >
> > I may be wrong but I have always understood NAT to occur BEFORE ipsec.
> >
> > Thus, if you want an inside host on one end to talk with an inside host
> > on the remote end of a tunnel, you place your interesting traffic rules in
> > whatever access-list applies to your appropriate NAT-0 rule so that the PIX
> > knows to not process your traffic through the NAT engine before the tunnel
> > (IPSEC or otherwise).
> >
> > It's my opinion in my case that the PIX is not finding interesting
> > traffic bound for 172.30.21.216 from 216.26.153.12 and this is why I am
> > seeing no debugging information.
> >
> > I don't understand why this is occurring with how I'm attempting to
> > configure this scenario.
> >
> > --mikej
> >
> > -----Original Message-----
> > *From:* Mounir Mohamed [mailto: mounir.mohamed@gmail.com]
> > *Sent:* Monday, December 11, 2006 5:58 PM
> > *To:* Michael G. Jung
> > *Cc:* cisco-bba@puck.nether.net
> > *Subject:* Re: [cisco-bba] FW: Static NAT translation over IPSEC tunnel
> > - PIX 6.3
> >
> > Dear Michael,
> >
> > I think your debug output get nothing because the NAT happen after the
> > IPSEC tunnel intiation failed, mainly routing happen first then NAT, if the
> > outgoing interface is the outside one NAT take action, so when ur private
> > subnet trying to intiate traffic toward remote vpn the traffic arrived on
> > the PIX interface as private address, then trying to intiate the IPSEC
> > tunnle then it's failed because the source address doesn't found on the
> > interisting traffic ACL (global-vpn).
> >
> > If am wrong anybody can correct me :)
> >
> > Best Regards,
> > Mounir Mohamed
> >
> >
> > On 12/11/06, Michael G. Jung <mikej@confluenttech.com > wrote:
> > >
> > >
> > > I have several tunnels up and operational on a old PIX-520 running 6.3
> > > (4)120
> > >
> > > I want to establish a new tunnel, but I want to static xlate my inside
> > > address to a real world address, and have the destination host see my
> > > traffic as sourced from the NAT'd address.
> > >
> > > So I've build a access-list for interesting traffic for the tunnel,
> > > built by static and have not specified the interesting traffic in my NAT-0
> > > access-list that I use for other tunnels. I've turned up debug
> > > crypto isakmp on the pix but I don't see any initiation.
> > >
> > > My inside host on interface DMZ is 172.0.255.15 which is NAT'd to
> > > 216.26.153.12.
> > >
> > > So I want 172.0.255.15 to connect to the remote host 172.30.21.216presenting itself as sourced from the nat'd address
> > > 216.26.153.12.
> > >
> > > Here is what I think is relevent.
> > >
> > > ip address outside 216.26.153.4 255.255.255.128
> > > ip address dmz 172.0.255.1 255.255.255.0
> > >
> > > access-list global-vpn permit ip host 216.26.153.12 host 172.30.21.215
> > >
> > >
> > > static (dmz,outside) 216.26.153.12 172.0.255.15 netmask
> > > 255.255.255.255 0 0
> > >
> > > sysopt connection permit-ipsec
> > >
> > >
> > > crypto ipsec transform-set global-vpn esp-3des esp-md5-hmac
> > >
> > > crypto map outside 212 ipsec-isakmp
> > > crypto map outside 212 match address global-vpn
> > > crypto map outside 212 set peer not.my.real.ip
> > > crypto map outside 212 set transform-set global-vpn
> > >
> > > crypto map outside interface outside
> > >
> > > isakmp enable outside
> > > isakmp key ******** address not.my.real.ip netmask 255.255.255.255
> > > isakmp identity address
> > >
> > > isakmp policy 100 authentication pre-share
> > > isakmp policy 100 encryption 3des
> > > isakmp policy 100 hash md5
> > > isakmp policy 100 group 2
> > > isakmp policy 100 lifetime 86400
> > >
> > >
> > > Any ideas, am I approaching this correctly with the static and not
> > > using nat0 for 216.26.153.12 <->172.30.21.215?
> > >
> > > Thanks for any suggestions.
> > >
> > > --mikej
> > > Michael Jung
> > >
> > >
> > >
> > > _______________________________________________
> > > cisco-bba mailing list
> > > cisco-bba@puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-bba
> > >
> > >
> > >
> >
> >
> > --
> > Best Reagrds,
> > Mounir Mohamed
> >
> >
>
>
> --
> Best Reagrds,
> Mounir Mohamed
>
>


--
Best Reagrds,
Mounir Mohamed