Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 515e NoNat to to different VPN's 2

Status
Not open for further replies.
LedZepRock

LedZepRock

MIS
Feb 20, 2002
265
GB
Hi all

OK, this one is passing me by, any help would be real nice, problem is this....

I have 2 subnets I connect to via VPN, I dont want to NAT the addresses, now I have set is up as show below but this is never going to work due to the PIX not knowing which VPN link to use, I have tryed adding another nat rule (nat (inside) 0 access-list nonatVPN2) but it overrights the exsisting nat rule....

HELP!!!

access-list nonatinside permit ip 192.168.101.0 255.255.255.0 VPN1 255.255.255.0
access-list nonatinside permit ip 192.168.101.0 255.255.255.0 VPN2 255.255.255.0

nat (inside) 0 access-list nonatinside

crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address nonatinside
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer xxx.xxx.xxx.xxx
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 15 ipsec-isakmp
crypto map outside_map 15 match address nonatinside
crypto map outside_map 15 set pfs
crypto map outside_map 15 set peer xxx.xxx.xxx.xxx
crypto map outside_map 15 set transform-set ESP-3DES-SHA

Thanks for looking
Simon
 
Sort by date Sort by votes
You need to use separate ACLs... one for your no-nat rule and two other ACLs, one for each VPN tunnel

nat (inside) 0 access-list nonatinside
crypto map outside_map 10 match address ACL1
crypto map outside_map 15 match address ACL2

your no-nat ACL is a combination of ACL1 and ACL2.
 
Upvote 0 Downvote
OK, thanks, still a little thing I dont get, so if I add what you have said I end up with this...

access-list ACL1 permit ip 192.168.101.0 255.255.255.0 VPN1 255.255.255.0
access-list ACL2 permit ip 192.168.101.0 255.255.255.0 VPN2 255.255.255.0

nat (inside) 0 access-list nonatinside

crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address ACL1
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer xxx.xxx.xxx.xxx
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 15 ipsec-isakmp
crypto map outside_map 15 match address ACL2
crypto map outside_map 15 set pfs
crypto map outside_map 15 set peer xxx.xxx.xxx.xxx
crypto map outside_map 15 set transform-set ESP-3DES-SHA

Now I understand that now the "matching address" works, but how do both ACL1 & ACL2 now interact with the NoNAT rule??

Simon
 
Upvote 0 Downvote
As themut has said, you have a seperate no-nat acl which is a combincation of ACL1 and ACL2, and then use that in the nat 0 command, eg

access-list nonatinside permit ip 192.168.101.0 255.255.255.0 VPN1 255.255.255.0
access-list nonatinside permit ip 192.168.101.0 255.255.255.0 VPN2 255.255.255.0

nat (inside) 0 access-list nonatinside


CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
Ahhh, yes, sorry, I got it now....

Thanks for you help.

Simon
 
Upvote 0 Downvote
Right, thought I had it, but it seams not, sorry, but I still cant get this to work, here is my config.....

Now I think the problem is that when I start a "terminal services" link to 192.168.3.254 (psifail), it looks like the firewall is trying to connect to crypto map 10, but it should be connecting to crypto map 15....

Any final ideas before I go hang myself??

access-list nonatinside permit ip 192.168.101.0 255.255.255.0 psidmz 255.255.255.0
access-list nonatinside permit ip 192.168.101.0 255.255.255.0 psisec 255.255.255.0
access-list nonatinside permit ip 192.168.101.0 255.255.255.0 psifail 255.255.255.0

access-list psifail_15 permit ip 192.168.101.0 255.255.255.0 psifail 255.255.255.0
access-list psisec_10 permit ip 192.168.101.0 255.255.255.0 psisec 255.255.255.0
access-list psisec_10 permit ip 192.168.101.0 255.255.255.0 psidmz 255.255.255.0

global (outside) 1 xxx.xxx.xxx.xxx
nat (inside) 0 access-list nonatinside
nat (inside) 1 192.168.101.0 255.255.255.0 0 0

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address psisec_10
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer xxx.xxx.xxx.xxx
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 15 ipsec-isakmp
crypto map outside_map 15 match address psifail_15
crypto map outside_map 15 set pfs
crypto map outside_map 15 set peer xxx.xxx.xxx.xxx
crypto map outside_map 15 set transform-set ESP-3DES-SHA
 
Upvote 0 Downvote
What addresses do the three names map to, ie, psifail, psidmz and psisec?

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
Thanks for the re-reply chicouk.

It now works, just me being stupid.

Ta
Simon
 
Upvote 0 Downvote
How about the peers's IP addresses? Are they matched to the correct tunnel?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
813
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
674
Johnkite
Johnkite
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
602
nnaarrnn
nnaarrnn
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
175
brownmab53
brownmab53
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
157
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top