Multiple IPSEC VPN on PIX

[sghezzi]

Hello,

we need to enstablish multiple IPSEC VPN on PIX.
The problem I have is related to ACLs and NAT.
I guess I have to create an ACL for any VPN tunnel, but then how do I prevent NAT on those traffic?

for example:
If I have 2 VPN associated to ACL 110 and 120 respectively:
access-list 110 permit ip 10.0.4.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list 120 permit ip 192.168.170.0 255.255.255.0 192.168.175.0 255.255.255.0

how do I prevent NAT for those ACLs?
I see that I can only have one of this sentence:
nat (inside) 0 access-list 110

I cannot have both:
nat (inside) 0 access-list 110
nat (inside) 0 access-list 120
Furthermore I have the NAT rule for the internal private addresses: nat (inside) 1 10.0.0.0 255.0.0.0 0 0

Why I cannot have NAT 0 to both ACLs?
And how can I solve this?

It doesn't work with a single rule of nat, because I get this error "No translation group found for....."

does anybody have a solution for this?

thanks
Silvia

 

[ianbla]

I cannot believe this but I was just about to post the same question, how spooky is that?????

I have just had people moaning at me because as I added the nat (inside) 0 access-list 120, it got rid of the nat (inside) 0 access-list 110.

I hope somebody has the answer as I need to get this up and running soon, I have searched around but I cannot find anything.

 

[sghezzi]

Yes!!!
Exactly!! It is the same with me, I cannot believe that nat 0 cannot be applied to more than one ACL.
How can we overcome this?
Is it solved in further IOS version of PIX?
I am using 6.1

Can someone help????

 

[ianbla]

me too 6.1(3).

I am sure soembody will come to our rescue, I am still searching to see if I can find the answer.

 

[ianbla]

Is this me being silly. I have just thought that maybe it is possible to have 3 ACL's; 120,120 & 130. Use 120 & 130 in the VPN config part but use 110 in the NAT part

access-list 110 permit ip 10.0.4.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list 110 permit ip 192.168.170.0 255.255.255.0 192.168.175.0 255.255.255.0
access-list 120 permit ip 10.0.4.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list 130 permit ip 192.168.170.0 255.255.255.0 192.168.175.0 255.255.255.0

nat (inside) 0 access-list 110

Maybe worth trying out, I have to wait till Thursday now before I can risk taking the other VPN down for 10 minutes :-(

 

[sghezzi]

I have tried with this but then I got that message:
"No translation group found for 192.168.170...."

I got 2 ACLs and only two statements:

access-list 110 permit ip host 10.0.4.58 192.168.50.0 255.255.255.0
access-list 120 permit ip 192.168.170.0 255.255.255.0 192.168.175.0 255.255.255.0
nat (inside) 0 access-list 110
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
global (outside) 1 interface

With these settings it doesn't work and I got that error I mentioned.

Now I am trying with the following settings:

mebfirewall(config)# sh nat
nat (inside) 0 access-list 110
nat (inside) 2 192.168.170.0 255.255.255.0 0 0
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
mebfirewall(config)# sh global
global (outside) 1 interface
global (outside) 2 192.168.170.0

I thought this could work but I still get some errors...I dont know if related to this or not.

I am getting crazy....

 

[ianbla]

Sorry, I didn't see that you have already tried that one out.

Have you tried it as I have it, with 110 being the non-NAT
and 120,130 being the ones used in the VPN configuration?

 

[jims88]

I have three IPSec VPN's tied to my PIX, and have no problems. My config is similar to what ianbla suggests, although I've aggregated the addresses into a single supersetted block. This works fine for the NAT entries, but not for the crypto map's. In ianbla's example, if 110 is used for the (no)NAT entry and 120 and 130 are applied to separate Crypto Maps, it should work.

 

[sghezzi]

Yes, I have ried and it works.
So it means that if we have x VPN that we need to havex ACLs and an additioal ACL including the others x, and then we apply nat 0 only to the additional ACL.
Fine,I am happy.
Thanks to everybody for your suggestion.

 

[ianbla]

Hi Silvia,

Glad to see it works, I shall be trying it on mine later in the week.

Phew!!!

 

[sghezzi]

Hey, do you know if it possible to insert comments or description in the VPN settings to easily recognize one VPN from another?
I CISCO routers there is the command "descriptio" but I think it doesn't exst in PIX.

any idea?

 

[jims88]

In my PIX ACLs I don't use numbers, like access-list 110. I use the name of the office, ie access-list boise, or access-list portland, etc.

That way I don't get too confused.

 

[ianbla]

Because the PIX cannot Nat 0 more than one ACL, I have just eventaully got round to doing this.

I have an access-list for customer ABC, I also have one for our new customer XYZ

I now have a noNAT access-list with all entries from both ABC & XYZ

I have told the pix not to NAT this traffic nat (inside) 0 access-list noNAT, this used to be nat (inside) 0 access-list ABC.

This seems to work fine, the strange thing is that the ABC link seems to run much faster than it ever did since this change was made. Anybody got any ideas why this would be?

 

[CHOUM]

for your use do like me (i have 17 VPN-IPSEC)

access-list inside_outbound_nat0_acl permit ip PHG 255.255.0.0 DNIEPR 255.255.0.0
access-list inside_outbound_nat0_acl permit ip PHG 255.255.0.0 FM2I-UKRAINE 255.255.0.0
access-list inside_outbound_nat0_acl permit ip host ACTEON host allegro

access-list crypto_80 permit ip PHG 255.255.0.0 DNIEPR 255.255.0.0
access-list crypto_90 permit ip PHG 255.255.0.0 FM2I-UKRAINE 255.255.0.0
access-list crypto_60 permit ip host ACTEON host allegro

nat (inside) 0 access-list inside_outbound_nat0_acl

one of my crypto :
crypto map outside_dyn_map 80 ipsec-isakmp
crypto map outside_dyn_map 80 match address crypto_80
crypto map outside_dyn_map 80 set peer 194.xxx.xxx.xxx
crypto map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto map outside_dyn_map 80 set security-association lifetime seconds 1800 kilobytes 4608000

do like this it must work ;o)