Archived from groups: comp.dcom.vpn,comp.dcom.sys.cisco (More info?)
We are trying to configure a PIX firewall. The other end is at another
company that allows many VPN's so they require two routeable (external)
IP addresses, no internals allowed.
We successfully set up a VPN with the PIX and a forward router. However,
we are load balancing routers and would like to the entire VPN on the PIX.
Below is a sketch (fake IPs, use fixed width font) of how we would like it to be.
------------------------------ --------------------- ------------------ -----------------
| Internal Network 172.1.1.x | | PIX 67.2.2.222 | | External Peer | | External Host |
| | --> | NAT to 67.2.2.2 | | | | |
| | | Crypt | --> | 157.3.3.3 | --> | 160.4.4.4 |
------------------------------ --------------------- ------------------ -----------------
If we have a router outside the PIX, we work fine. But trying to do it all on the PIX fails
We had thought that it would go:
From: 172.1.1.100
To: 160.4.4.4
NAT Translated to
From: 67.2.2.2
To: 160.4.4.4
Tunnel Set Up from PIX (67.2.2.222) to Remote Peer (157.3.3.3)
Encrypt Packet
Send Packet
Decrypted on 157.3.3.3
From: 67.2.2.2
To: 160.4.4.4
Packet forwarded to 160.4.4.4 (NAT translated to remote internal if need be)
Return packets should come back in reverse, being decrypted on the PIX and then NATted back
to the internal network.
This is not what is happening. We have other VPNs using internal local and remote addresses,
and it is not failing. If we monitor the interface, we start seeing a Send Error for each
packet that is attempted to be sent, and there is no tunnel ever established.
What are we missing here? Attached at bottom is relevant config (I think), converted to the
above ips.
Thank you!
Ryan Casey
-------------
PIX Version 6.3(3)
access-list MYNAT permit ip 172.1.1.0 255.255.255.0 host 160.4.4.4
access-list MYCrypto permit ip host 67.2.2.2 host 160.4.4.4
nat (inside) 2 access-list MYNAT 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map vpnmap 50 ipsec-isakmp
crypto map vpnmap 50 match address MYCrypto
crypto map vpnmap 50 set peer 157.3.3.3
crypto map vpnmap 50 set transform-set myset
isakmp key ******** address 157.3.3.3 netmask 255.255.255.255
isakmp nat-traversal 20
: end
We are trying to configure a PIX firewall. The other end is at another
company that allows many VPN's so they require two routeable (external)
IP addresses, no internals allowed.
We successfully set up a VPN with the PIX and a forward router. However,
we are load balancing routers and would like to the entire VPN on the PIX.
Below is a sketch (fake IPs, use fixed width font) of how we would like it to be.
------------------------------ --------------------- ------------------ -----------------
| Internal Network 172.1.1.x | | PIX 67.2.2.222 | | External Peer | | External Host |
| | --> | NAT to 67.2.2.2 | | | | |
| | | Crypt | --> | 157.3.3.3 | --> | 160.4.4.4 |
------------------------------ --------------------- ------------------ -----------------
If we have a router outside the PIX, we work fine. But trying to do it all on the PIX fails
We had thought that it would go:
From: 172.1.1.100
To: 160.4.4.4
NAT Translated to
From: 67.2.2.2
To: 160.4.4.4
Tunnel Set Up from PIX (67.2.2.222) to Remote Peer (157.3.3.3)
Encrypt Packet
Send Packet
Decrypted on 157.3.3.3
From: 67.2.2.2
To: 160.4.4.4
Packet forwarded to 160.4.4.4 (NAT translated to remote internal if need be)
Return packets should come back in reverse, being decrypted on the PIX and then NATted back
to the internal network.
This is not what is happening. We have other VPNs using internal local and remote addresses,
and it is not failing. If we monitor the interface, we start seeing a Send Error for each
packet that is attempted to be sent, and there is no tunnel ever established.
What are we missing here? Attached at bottom is relevant config (I think), converted to the
above ips.
Thank you!
Ryan Casey
-------------
PIX Version 6.3(3)
access-list MYNAT permit ip 172.1.1.0 255.255.255.0 host 160.4.4.4
access-list MYCrypto permit ip host 67.2.2.2 host 160.4.4.4
nat (inside) 2 access-list MYNAT 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map vpnmap 50 ipsec-isakmp
crypto map vpnmap 50 match address MYCrypto
crypto map vpnmap 50 set peer 157.3.3.3
crypto map vpnmap 50 set transform-set myset
isakmp key ******** address 157.3.3.3 netmask 255.255.255.255
isakmp nat-traversal 20
: end
Thanks!
Facebook
Twitter
Instagram