PIX NAT using ISP2?
I really doubt that there is a solution, so I'm challenging all you network gurus {wink}
I have two ISP come in. At the present time, I have ISP2 bypassing the firewall with its own router.
Now, I would be more effective. I'm consolodating my two ISP of for a router tonight.
I know that the PIX won't do any kind of routing based on the policy, but I would NAT overall out isps1 and all static NAT review ISP2.
Possible? I am open to all ideas.
The problem: My incoming HTTP traffic has swallowed up all my other traffic. Now, I can't control the side ISP of the router and placement QoS is outgoing (obviously, if it hit my incoming interface, he has already had the bandwidth).
I would like to move (based on my global users to NAT) inbound HTTP to isps1 and all my static entries to ISP2.
I be wishing on a star here, because I did not come with good ideas, as the firewall is not as flexible as a router (which is probably a good thing in General).
Thank you very much!
Hello
You have a few possibilities here...
First; You can indeed make some QoS on your entrants, but it will be effective on TCP sessions (which seem to be the majority of your traffic). With the help of DAVID during the development of inbound traffic will allow backoff TCP and lower pressure... You'll just have to handle the bandwidth of the interface parameter and the shape accordingly.
Second; The problem with the PIX is that it cannot have * one * default gateway and it does not ACB. Therefore, you will need to use external routers to do this work. If you have a control on the access routers to the Internet service provider, you can do the movement of traffic "easily." You * will * need a router (can also use two) between your PIX and the ISP. This router may very well be the access router. If you use a router, that router will have a total of three interfaces (one to each ISP and the other for the PIX). If you use two routers, each need two interfaces (an Internet service provider, to PIX) and a switch/hub to interconnect.
I guess you have public IP addresses on the PIX and have a set of each ISP.
Do your usual thing on the PIX with these addresses, using an ISP - game for the PAT of users and other set - ISP for your static outbounds. Now on your access to the ISP router, use PBR to choose the correct ISP based on source from your PIX address.
If you use two routers in parallel, one at each access provider, you need to configure an HSRP for the PIX address to use as the front door and to the ACB on each router.
I would like to know if it's too abstract.
Did she help? In the affirmative, please write it down.
Tags: Cisco Security
Similar Questions
-
PIX to PIX VPN using Ipsec Tunnel. Need help please.
Hello everyone,
I have a connection of two sites using 506th PIX and PIX 501. The one on the central site (WATBCINX1 - 506th PIX) sends the packet correctly and one on the remote site (CTXPOINX1 - PIX 501) receives (checked using icmp backtrace on the two PIX). The problem is that PIX 501 at remote site return packages. I have to say that the two PIX hace a 3com OfficeConnect ADSL router as gateway Internet 812. If someone could help me I would appreciate it a lot. Thank you!
PIX 506th Configuration (central site):
WATBCINX1 # sh conf
: Saved
: Written by enable_15 to the CEDT 08:36:50.090 Friday, June 20, 2003
6.2 (2) version PIX
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate qU51Wrx8ggFHLusK encrypted password
qU51Wrx8ggFHLusK encrypted passwd
hostname WATBCINX1
NEOKEM domain name. LAN
clock timezone THATS 1
clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
no names
name 80.37.246.195 POLINYÀ
access-list outside_access_in allow accord any host 10.0.0.10
outside_access_in list access permit tcp any host 10.0.0.10 eq 1723
outside_access_in list access permit tcp any host 10.0.0.10 eq smtp
outside_access_in list access permit tcp any host 10.0.0.10 eq pop3
access-list outside_access_in allow icmp a whole
inside_access_in ip access list allow a whole
access-list inside_access_in allow a tcp
access-list inside_access_in allow icmp a whole
Allow Access-list inside_access_in a whole udp
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.11.0 255.255.255.0
pager lines 24
opening of session
interface ethernet0 10full
interface ethernet1 10full
Outside 1500 MTU
Within 1500 MTU
outdoor IP 10.0.0.3 255.0.0.0
IP address inside 192.168.0.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
location of PDM 192.168.0.100 255.255.255.255 inside
location of PDM 192.168.0.0 255.255.0.0 inside
location of PDM 192.168.0.128 255.255.255.255 inside
location of PDM 192.168.0.135 255.255.255.255 inside
location of PDM 192.168.11.0 255.255.255.0 outside
location of PDM 192.168.11.0 255.255.255.0 inside
location of PDM 80.37.246.195 255.255.255.255 outside
location of PDM 192.168.0.254 255.255.255.255 outside
PDM 100 debug logging
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
(Inside) NAT 0-list of access 101
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside, outside) 10.0.0.10 192.168.0.100 netmask 255.255.255.255 0 0
Access-group outside_access_in in interface outside
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 10.0.0.2 1
Timeout xlate 0:05:00
Conn Timeout 0:00:00 half closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0: 05:00 sip 0:30:00
sip_media 0:02:00
Timeout, uauth 0:00:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
authenticate the NTP
NTP server 192.43.244.18 source outdoors
NTP server 128.118.25.3 prefer external source
Enable http server
http 192.168.0.100 255.255.255.255 inside
http 192.168.0.128 255.255.255.255 inside
http 192.168.0.135 255.255.255.255 inside
http 192.168.11.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
No sysopt route dnat
Crypto ipsec transform-set esp - esp-md5-hmac COMUN_BCN
Polinyà 1 ipsec-isakmp crypto map
correspondence address 1 card crypto Polinyà 101
card crypto Polinyà 1 set peer 80.37.246.195
card crypto Polinyà 1 the transform-set COMUN_BCN value
interface to crypto map outdoors Polinyà
ISAKMP allows outside
ISAKMP key * address 80.37.246.195 netmask 255.255.255.255
ISAKMP identity address
part of pre authentication ISAKMP policy 1
of ISAKMP policy 1 encryption
ISAKMP policy 1 md5 hash
1 1 ISAKMP policy group
ISAKMP policy 1 lifetime 1000
Telnet 192.168.0.128 255.255.255.255 inside
Telnet 192.168.0.135 255.255.255.255 inside
Telnet 192.168.11.0 255.255.255.0 inside
Telnet timeout 10
SSH timeout 5
username password QSECOFR privilege ELFfg8t/K5UMO89z encrypted 15
Terminal width 80
Cryptochecksum:74cd0cf16ef2c35804dffaeee924efdf
WATBCINX1 #.
PIX 501 Setup (remote site):
CTXPOINX1 # sh conf
: Saved
: Written by enable_15 to the CEDT 09:27:14.439 Friday, June 20, 2003
6.2 (2) version PIX
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate qU51Wrx8ggFHLusK encrypted password
qU51Wrx8ggFHLusK encrypted passwd
hostname CTXPOINX1
NEOKEM domain name. LAN
clock timezone THATS 1
clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
no names
name 80.32.132.188 BCN
access-list inside_access_in allow a tcp
Allow Access-list inside_access_in a whole udp
access-list inside_access_in allow icmp a whole
inside_access_in ip access list allow a whole
access-list outside_access_in allow icmp a whole
access-list 101 permit ip 192.168.11.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
opening of session
interface ethernet0 10baset
interface ethernet1 10full
Outside 1500 MTU
Within 1500 MTU
IP 10.0.0.1 address outside 255.0.0.0
IP address inside 192.168.11.2 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
location of PDM 192.168.0.0 255.255.0.0 inside
location of PDM 192.168.11.0 255.255.255.255 inside
PDM 100 debug logging
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
(Inside) NAT 0-list of access 101
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Access-group outside_access_in in interface outside
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 10.0.0.2 1
Timeout xlate 0:05:00
Conn Timeout 0:00:00 half closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0: 05:00 sip 0:30:00
sip_media 0:02:00
Timeout, uauth 0:00:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
authenticate the NTP
NTP server 192.5.41.209 prefer external source
Enable http server
HTTP 80.32.132.188 255.255.255.255 outside
http 192.168.0.0 255.255.0.0 inside
http 192.168.11.0 255.255.255.255 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
No sysopt route dnat
Crypto ipsec transform-set esp - esp-md5-hmac COMUN
BCN 1 ipsec-isakmp crypto map
card crypto bcn 1 set peer 80.32.132.188
card crypto bcn 1 the transform-set COMMON value
bcn outside crypto map interface
ISAKMP allows outside
ISAKMP key * address 80.32.132.188 netmask 255.255.255.255
ISAKMP identity address
part of pre authentication ISAKMP policy 1
of ISAKMP policy 1 encryption
ISAKMP policy 1 md5 hash
1 1 ISAKMP policy group
ISAKMP policy 1 lifetime 1000
Telnet 80.32.132.188 255.255.255.255 outside
Telnet 192.168.0.0 255.255.0.0 inside
Telnet timeout 10
SSH timeout 5
username password QSECOFR privilege ELFfg8t/K5UMO89z encrypted 15
Terminal width 80
Cryptochecksum:dc8d08655d07886b74d867228e84f70f
CTXPOINX1 #.
Hello
You left out of your config VPN 501 correspondence address... put this in...
correspondence address 1 card crypto bcn 101
Hope that helps...
-
Hello
My script is
Inside (LAN) (172.16.x.x) - DMZ (172.29.1.x)
I would like to provide access to internal network to the DMZ. In addition to the ACL configuration, I can do this by using the following two methods. What are the advantage\dis advantage of each method
static (inside, dmz) 172.16.0.0 172.16.0.0 255.255.0.0 subnet mask
OR
access-list ip 172.16.0.0 sheep allow 255.255.0.0 172.29.1.0 255.255.255.0
NAT (inside) 0 access-list sheep
What is the difference between these two?
Hello
Function of static and nat (inside) ACL 0 is the same, that is, traffic from inside the demilitarized zone and the opposite would be allowed. The real difference is, when configuring nat (inside) ACL 0, you are really turn off the nat for this traffic engine altogther. Using the static, you disable the nat on the pix engine, turn PIX translations sort of mistakes, as real sense his translation TI. Note: nat (inside) 0 0 0 is different from nat (inside) ACL 0. With ACL option, you can connect the two sector, with only nat (inside) 0 0 its only from the inside to the dmz, dmz inside No. In a moderated network environment, you won't see much difference in terms of performance. It's just depends on condition, you prefer one over the other.
I hope that its clear! Thank you
Renault
-
Configure the PIX to use GANYMEDE and RAY for VPN
Using PIX 506th ver 6.3: whenever I have add the command 'authentication of customer mymap map crypto PARTNERAUTH' removes the current client GANYMEDE authentication +. I need to have both, until I have finished testing the radius server. Can I add a designation additional crypto map command in order to accommodate and to use both the current GANYMEDE + (ACS) and the RADIUS?
Hello
You need a time out to do the test.
Kind regards
-
Slow speed when classic NVI vs NAT using
2801 software (C2801-ADVENTERPRISEK9-M), M6 Version 15.1 (4)
I recently upgraded a WAN IP DHCP to a static public IP block and discovered a problem with the PIN to hair. I looked around and found that I could use the NVI (nat interface) to work around this problem. I have everything changed, and now I'm getting less then half the speed as before. (15mbps vs 35-40mbps). Summing up when using nat inside/outside, I get good speed but can not Hairpin, but when the use of nat enable (INB), I can hairpin but bad get speeds.
Find below everything explained out in more detail.
Here's my original config
----------------------
int fa0/0
IP address x.x.x.2
NAT outside IP
int fa0/1
IP address y.y.y.2
IP nat inside
IP nat inside source list 1 interface FastEthernet0/0 overload
--------------------------
Everything has been/is just fine, but I wanted to remap some static IP addresses with two hosts, so I added.
---------------------------
IP nat inside source static y.y.y.3 x.x.x.3
IP nat inside source static y.y.y.4 x.x.x.4
----------------------------
It worked with the mapping, I tried to make a few turns (to connect to the y.y.y.4 x.x.x3) and found that it would not work. After some research, I found that the NVI, Cisco said in a statement awhile back and I move on to that. See the new config-
---------------------------
int fa0/0
IP address x.x.x.2
activate nat IP
int fa0/1
IP address y.y.y.2
activate nat IP
IP nat source list 1 interface fa0/0 overload
y.y.y.3 static IP nat source x.x.x.3
y.y.y4 static IP nat source x.x.x.4
------------------------
Just as it works but now I have less then half the speed that I did before. I'm at a loss as to what this would cause.
Performance with the traditional configuration were already very high for such old and slow router, compare to the attached document.
Then with the more complex configuration of NVI, they are always reasonable.
If you need better, either find a way to return to the regular NAT, or you need to upgrade to a more recent machine / faster.
-
FW PIX configuration using PKI on Microsoft Server CA
I just wanted to know ther was looking for someone out there who has led to private PKI IPSec on a PIX 515ER to CA Server of Microsoft 2 K Advanced Server help. If so, can you please direct me for details of how to implement this? I'm more interested in implementing IPSec with ICP on remote users dial-up (via the Internet) using customer Cisco VPN and ends on a PIX firewall. Thanks in advance for your answers.
Hello
Try the following link
MS CA server installation is a very simple task...
a. install network / active directory / DNS / IIS services
b. then add the CA on the Server service. ensure that u Select Business certification, not stand-alone option... (I also recommend to read a few notes on the MS site of).
c. once the installation type sequence url on the web browser from a remote PC
http://certsrv/ - this url will allow you to request and see the status of the certificates...
I used MS CA servers for a PKI IPsec deployment and it work very well...
I hope this helps u
concerning
with this
-
Clarification of authentication PIX NAT and BGP
Hi all
I did some tests on PIX and crossing this area of BGP traffic.
When I configure the PIX to do no config NAT (NAT 0) and configure a BGP session between two routers (one inside) and the other on the outside net everything works fine.
When I configure BGP authentication, I may add the keyword "norandomseq" NAT and STATIC commands cause BGP auth embedded TCP header for authentication information. It's OK.
But when I reconfigure the PIX to make real NAT between the inside and the outside network and reconfigure my routers, BGP session doesn't happen if BGP authentication has been disabled. If I enable authentication BGP, I had errors of MD5 authentication on routers. (Note "norandomseq" is enabled for NAT and STATIC instructions)
Now my question is BGP unsupported for NAT on PIX sessions? (for my tests, it has worked for NAT 0 config, also all the examples that I always found working with NAT 0 config)
I think the problem is that the TCP pseudo-header changes to the NAT device and therefore it will never work right? Or is there any correction internal bgp which should fix this? I think it's almost impossible that this is known with the password simple bgp, right?
Concerning
Michael
Your reasoning is dead the. BGP authentication works like this: the sending peer BGP takes and MD5 hash of the TCP header before sending the package and includes this hash in the TCP header option. The BGP receiver receives the packet and also did a MD5 hash of the TCP header. Then, it compares its value to the value sent by the sender of BGP. If they match, all right. If they fail, the packet is ignored and you get error messages, did you see.
Because the NAT will change the address source TCP, the TCP header will be changed which should bring a different MD5 hash for the receiver that the sender originally sent.
BGP peer by a PIX authtenticatio is supported only in a Nat 0 or static identity with the norandomseq option is enabled.
Make sense?
Scott
-
NAT using a VM just possible 1 public available IP gateway?
Greetings!
The installation program:
Hetzner DS3000 root server with the ip address public 1.
VMware ESXi 3.5
Problem:
I want to virtualize a couple of servers, use TAR to make it accessible on the internet. I have read, that ESXi does not NAT... so I thought that I will use a "Smoothwall" VM as gateway. And that's where the trouble begins: I need two public IP addresses: one for the front door and the other for the ESXi server, but I only got one of my Web host...
Is there a solution/work around for this problem?
Thank you very much!
Klaus
Is there a solution/work around for this problem?
I don't think that's how work gateways. The only alternative is to use your main network switch to configure a VIRTUAL local area network so that the virtual machine is located on the external DMZ, which is in turn natted. Or the installation program on your ports to the same vSwitch thing. The difference is one is bound to a single virtual machine or the entire switch.
But the software solution will need 2 IP. and unless you have some hardware gateway or use the existing switch, I don't see how you can do it.
-
I can NAT to a site that is located on an MPLS link that carries only some subnets?
Our MPLS presently 172.16 traffic that is routed through the PC 7048 (5.1.0.1 VxWorks 6.6)
We added a few sites beside our MPLS and they are 192.168.x.x subnets. Rather than wait for the improved carrier network to carry 192.168, can I do with NAT directly from the 7048?
Otherwise, any other method? Tunneling? No matter what?
Thank you
I did some more research and talked with a colleague to confirm that your conclusions are correct. Q-in-Q will not work with this type of connection. The 7048 cannot be configured for NAT. We did some looking around to see if we could find another function, but have been unable to find something that would accomplish what you're looking for, sorry.
-
PAT on PIX vs NAT overload on router
Better question practice...
It's better to perform PAT through a NAT overload on a router bastion with a static on the PIX instruction or PAT on the PIX configuration uses a global IP address?
Other alternatives?
Example of router *.
Router configuration
IP nat FirstPAT 172.16.5.100 pool 172.16.5.100 255.255.255.0
FirstPAT IP nat source list 10 overload
access-list 10 permit 10.10.10.0 0.255.255.255
PIX installation
static (inside, outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
Example of PIX *.
Global (Outside) 1 172.16.5.100
NAT (inside) 1 0 0
Thanks in advance for all the messages!
In my opinion, there is no real compelling reasons to go with one idea on the other. Probably, I would lean towards leaving the PIX do NAT, but I could be swayed. The reason is that the PIX has essentially already been NAT (all back on the same address). But again, either should be good.
A suggestion however if you went with overloading NAT on the router would be to do it with a map of the route as opposed to the example of access list you have. Something like this:
IP nat FirstPAT 172.16.5.100 pool 172.16.5.100 255.255.255.0
IP nat source map route nat FirstPAT overload
route nat allowed 10 map
access-list 10 permit 10.10.10.0 0.255.255.255
This creates a NAT entry in the NAT table on the router.
Good luck.
Scott
-
I need to set up a LAN to LAN between my 6.3 tunnel (4) Pix515e and a remote Cisco unknown device. Administrator network to our parent company in France will be setting up their end, which is the unknown device.
Currently, the PIX is running NAT between our internal private addresses to our external address Public.
For this IPSec tunnel, I need our private PIX NAT 24 a subnet for 24 private another subnet before IPSec.
For example,.
If I have a subnet internal 192.168.0.x. When the traffic has to go to France (10.40.1.x) via an IPSec tunnel, I want that our Pix NAT 192.168.0.x to 10.40.2.x before sending it via IPSec.
(A) is it possible?
(B) what want my Look of ACL IPSEC for interesting traffic? Wouldn't be 10.40.2.x 10.40.1.x?
We are trying to work around a problem in subnet that overlap. The side of the France already has an IPSec tunnel on a location that overlaps with us.
I thought I read somewhere that IPSec arrives before NAT, which would indicate that the ACL would need to be 192.168.0.x to 10.40.1.x. This could be a problem with the France is that they already have an ACL t0 192.168.0.x.
I really hope this makes sense.
Denny
Denny
Policy NAT bit first
access-list allowed PNAT ip 192.168.0.0 255.255.255.0 10.40.1.0 255.255.255.0
NAT (inside) 3 access-list PNAT
Global (outside) 3 10.40.2.1 - 10.40.2.254 netmask 255.255.255.0
The foregoing will be NAT your LAN 10.40.2.x only ip addresses when the destination of the traffic is 10.40.1.x. I used 3 as the nat and global id - choose one of the uses not in on your firewall.
Your list of access-card crypto for interesting traffic should be
VPNTRAFFIC ip 10.40.2.0 access list allow 255.255.255.0 10.40.1.0 255.255.255.0
HTH
Jon
-
PIX 515E without NAT from upper to lower
Dear all,
Pls find attached schema and configuration PIX 102 and 105 PIX.
Network 192.168.105.x, 192.168.102.x can communicate with the outside world and from the outside we can access 192.168.102.x some open ports.
192.168.105.1is on the interface of higher security and 192.168.102.3 is on the low safety for PIX105 interface.
192.168.105.x can communicate with 192.168.102.x using NAT.
Now the question is:
192.168.105.x cannot communicate with 192.168.102.x without Tried NAT. using the special conversion rules and Nat 0 but cannot continue to communicate.
192.168.105.X is unable to connect to 192.168.101.x (road via PIX 102 and router)
192.168.101.X cannot communicate with 192.168.102.x
I don't want NAT to use between 192.168.105.x, 192.168.102.x and 192.168.101.X
Grateful if you can help do ASAP
Kind regards
Prashanth
you said "192.168.101.x need to access 192.168.102.x for object group dc."
provide that you will speak the traffic is initiated by sous-reseau.101 for sous-reseau.102, then you need to apply another State on pix102.
for example
static (intf2, inside) 192.168.101.0 192.168.101.0 netmask 255.255.255.0
clear xlate
Apart from that, I see no error with the two pix, the config of the router config.
to check the question it either relates to the data center router, try ping pix102.
First, ping the int data center router series, then ping the router the data center sous-reseau.101.
-
can I use aaa for telnet access to a pix?
It's a 6.2 (2) the 506e running. I have all my routers and switches use Ganymede authentication. is it possible on with the pix? useful links or instructions?
Thank you
YES, you can control access to pix via Ganymede or any aaa server. Here is the link perfact explaining config etc for
-
Hello
I would ask if I have 2 IP address from the ISP 1 and 2 of the ISP block, I have 2 inside the NAT map to 1 a web server, lets say:
100.0.0.10 (ip ISP 1) and 200.0.0.10 (ip 2 PSI) to map on my web server.
My question is, lets say I have 2 default route (0.0.0.0/0) for both my ISP. How can I do plan road so if the customer comes ISP 1 and access NAT to my web server (100.0.0.10), then the response from my web server will return to isps1 and do not use ISP2?
Hello
As far as I understand, the OP is concerned about the HTTP response. The OP need that traffic coming from isps1 back to isps1 and traffic from ISP2 goes back to ISP2. Idea of Richard to have the second IP address and a roadmap is the solution.
IP addresses of the server
192.168.1.2
192.168.1.3
Router config
interface FastEthernet0/0/0
IP 192.168.1.1 255.255.255.0
IP nat inside
the property policy intellectual-card WEBinterface FastEthernet0/0
IP 100.0.0.2 255.255.255.0
NAT outside IPinterface FastEthernet1/0
IP 200.0.0.2 255.255.255.0
NAT outside IPIP nat inside source static 192.168.1.2 100.0.0.2
IP nat inside source 192.168.1.3 static 200.0.0.2access-list 20 allow 192.168.1.2
access-list 30 allow 192.168.1.3WAN allowed 10 route map
corresponds to the IP 20
set ip next-hop 100.0.0.1WAN allowed 20 route map
corresponds to the IP 30
IP 200.0.0.1 jump according to the value**************************************
It will be useful,
Masoud
-
I'm trying to implement a simple PIX PIX VPN using the simple PIX - PIX VPN documentation for the sample config page. I have a lot of VPN tunnels with other very happy other PIX devices so it's quite annoying. Anyway, on the source PIX config is as follows:-
access-list 101 permit ip 172.18.138.0 255.255.255.0 172.18.133.0 255.255.255.0
access-list 101 permit ip 172.18.133.0 255.255.255.0 172.18.138.0 255.255.255.0
NAT (phoenix_private) 0-access list 101
Permitted connection ipsec sysopt
No sysopt route dnat
Crypto ipsec transform-set esp - esp-md5-hmac chevelle
ntlink 1 ipsec-isakmp crypto map
1 ipsec-isakmp crypto map TransAm
correspondence address 1 card crypto transam 101
card crypto transam 1 set peer 172.18.126.233
card crypto transam 1 transform-set chevelle
interface inside crypto map transam
ISAKMP allows inside
ISAKMP key * address 172.18.126.233 netmask 255.255.255.255
ISAKMP identity address
part of pre authentication ISAKMP policy 1
of ISAKMP policy 1 encryption
ISAKMP policy 1 md5 hash
1 1 ISAKMP policy group
ISAKMP policy 1 lifetime 1000
and if I generate the traffic logs show this: -.
9 August 18:40:15 10.60.6.247% PIX-3-305005: no translation not found for icmp src phoenix_private:172.18.138.111 dst domestic group: 172.18.133.51 (type 8, code 0)
9 August 18:40:17 10.60.6.247% PIX-3-305005: no translation not found for icmp src phoenix_private:172.18.138.111 dst domestic group: 172.18.133.51 (type 8, code 0)
9 August 18:40:18 10.60.6.247% PIX-3-305005: no group of translation not found for udp src phoenix_private:172.18.138.111/3832 dst inside:172.18.133.51/53
9 August 18:40:18 10.60.6.247% PIX-3-305005: no translation not found for icmp src phoenix_private:172.18.138.111 dst domestic group: 172.18.133.51 (type 8, code 0)
9 August 18:40:19 10.60.6.247% PIX-3-305005: no group of translation not found for udp src phoenix_private:172.18.138.111/3832 dst inside:172.18.133.51/53
No isakmp and ipsec debugging message appears, but you who wait that the PIX does not even link the traffic with the access list or a NAT.
I do something obviously stupid, can someone tell me what it is, thank you.
Jon.
Hello
1. you create a second access as list:
outside_cryptomap ip 172.18.138.0 access list allow 255.255.255.0 172.18.133.0 255.255.255.0
and
2. instead of
correspondence address 1 card crypto transam 101
You must configure
card crypto transam 1 match address outside_cryptomap
the problem is that you configure an ACL for nat and crypto - that does not work
concerning
Alex
Maybe you are looking for
-
Why it gives me an error 1088? Thanks in advance.
-
Window security HResult 0 x 80074003? what it means?
Window security HResult 0 x 80074003? what it means?
-
When you connect to other windows user does not profile load
The user profile does not load
-
What do the colors of the windows logo mean?
What do the colors of the windows logo mean?
-
How can I set the width of the part of the label of an edit field?
Anyone know how I can configure the width of the part of the label of an edit field? that is, I want to have my line to edit until a fixed width field labels.