PIX VPN with overlapping neworks 2

[heskia321]

I have been trying to set up VPN between a cisco concentrator 3000 and PIX 506.
I need to be able to FTP from a host behind the Pix to a host "behind" the concentrator.
The problem is that the concentrator knows of the pix' internal subnet (eg. 192.168.2.x) from another configuration, and therefore I am in need of translating the pix inside address to some unknown (other) address.

For instance I want to make sure that the conentrator sees the host behind the pix not as eg. 192.168.2.10 but as eg. 192.168.99.5.

The current config has a global (outside) 1 interface statement and nat (inside) 1 0.0.0.0 0.0.0.0 0 0.
The access-list is permit ip 192.168.2.0 255.255.255.0 host 10.30.x.x (host "behind" concentrator).

How do I make the particular host behind the pix (only for this vpn ftp connection) take a different subnet (192.168.99.5) and not the standard internal or any outside address?

Can I declare a global (outside) 2 and hook the access-lists with the interesting trafic to a new nat (inside) 2

Any help is greatly appreciated.

 

[tbissett]

Rather than explain it, here's the link to the Cisco sample doc that explains how to do exactly what you want:

Configuring the PIX in a Site-to-Site IPSec VPN with Overlapping Private Networks

http://www.cisco.com/warp/public/707/vpn_pix_private.html

 

[heskia321]

Hi tbissett

Thx for very speedy reply.

I have the doc from cisco and have tried to do just that. The problem (for me, since I am a rookie) is that the second static command they make conflicts with one or more existing static statements and I get an "error" containing the wording overlapping/redundant something...

As I see it it will alo make all trafic whether for vpn or regular internet use the new "fictive" address in the static they make. Not just the VPN trafic.

 

[heskia321]

Hi tbissett

Thx for very speedy reply.

I have the doc from cisco and have tried to do just that. The problem (for me, maybe because I am a rookie) is that the second static command they make conflicts with one or more existing static statements and I get an "error" containing the wording overlapping/redundant something...

As I see it it will also make all trafic, whether for vpn or regular internet, use the new "fictive" address in the static they make. Not just the VPN trafic.

 

[heskia321]

Maybe it would help I was more specific

In short I need to ftp from our inside host 192.168.7.x to the client inside 10.30.10.x through my pix and his cisco 3000 concentrator.
However, the concentrator on his side knows of our subnet 192.168.x.x (from another of his configs), which is why I have tried to translate our subnet 192.168.7.x to the "fictive" subnet 192.168.10.x.
The pix does not know of the subnet of other host 10.30.10.x which is why I have not made a bi-directional static.

However while applying the suggestions in the paper "Configuring PIX in a site-to-site vpn with overlapping networks" I experienced that I got the message overlapping/redudant something when I did the static (inside,outside) 192.168.10.0 192.168.7.0, and I understand that it is malicious now my other statics have been told to translate to the global outside and are also told to translate to 192.168.10.0 which is the new "fictive" subnet.

The following is part of my config:

---------------------------------------------------------
PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
new line --> access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.x.x 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 80.63.x.x 255.255.255.248
ip address inside 192.168.x.x 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 80.63.x.x 192.168.x.x netmask 255.255.255.255 0 0
static (inside,outside) 80.63.x.x 192.168.x.x netmask 255.255.255.255 0 0
static (inside,outside) 80.63.x.x 192.168.x.x netmask 255.255.255.255 0 0
static (inside,outside) 80.63.x.x 192.168.x.x netmask 255.255.255.255 0 0
static (inside,outside) 62.242.x.x 192.168.x.x netmask 255.255.255.255 0 0
static (inside,outside) 62.242.x.x 192.168.x.x netmask 255.255.255.255 0 0
static (inside,outside) 62.242.x.x 192.168.x.x netmask 255.255.255.255 0 0
static (inside,outside) 62.242.x.x 192.168.x.x netmask 255.255.255.255 0 0
static (inside,outside) 62.242.x.x 192.168.x.x netmask 255.255.255.255 0 0
static (inside,outside) 62.242.x.x 192.168.x.x netmask 255.255.255.255 0 0
static (inside,outside) 62.242.x.x 192.168.x.x netmask 255.255.255.255 0 0
new line --> static (inside,outside) 192.168.10.0 192.168.x.0 netmask 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 80.63.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
new line --> crypto ipsec transform-set cosmo esp-3des esp-md5-hmac
new line --> crypto map cosmo 10 ipsec-isakmp
new line --> crypto map cosmo 10 match address 101
new line --> crypto map cosmo 10 set peer 192.38.x.x
new line --> crypto map cosmo 10 set transform-set cosmo
new line --> crypto map cosmo interface outside
new line --> isakmp enable outside
new line --> isakmp key ******** address 192.38.x.x netmask 255.255.255.240
new line --> isakmp identity address
new line --> isakmp policy 1 authentication pre-share
new line --> isakmp policy 1 encryption 3des
new line --> isakmp policy 1 hash md5
new line --> isakmp policy 1 group 1
new line --> isakmp policy 1 lifetime 86400
telnet timeout 5
---------------------------------------------------------
How do I handle this situation ?

regards
daniel

 

[tbissett]

Assuming you already have covered that network in another of the statics, yes, the PIX will not let you do two different statics for the same host.

To compund the problem, if you translate your inside hosts to the new ficticious subnet of 192.168.10.x, they will not be able to get to the Internet after this is done. It's because they would appear on the outside as a 192.168 address, which is not routable.

So, how to do this... I think it would be bettter to apply the translation on the VPN concentrator side, as the traffic is coming in. Since it is the VPN concentrator that needs to see the traffic differently, it makes more sense to apply the NAT on that end instead of the PIX. This can be done if your concentrator has sw version 6.3 or above.

Here's a separate doc that talks about how to do NAT on a VPN 3000

http://www.cisco.com/warp/public/471/config_vpn_3k_site.html

Hope this helps!

 

[yizhar]

HI.

First, change this:
global (outside) 1 interface
To this:
no global (outside) 1 interface
global (outside) 1 80.63.x.x

So you can better differenciate between pix own traffic and internal hosts traffic. You'll see why in the next paragraph.

Then you can try with the standard translation used at the pix side.
I mean - simply do not use any "nat 0" or special "static" commands at the pix side, then (I think - not sure) the traffic from pix clients to main site will be translated to uniqe registered ip address by "global (outside) 1 80.63.x.x" - same method used for general Internet access.

With the VPN configuration, you should modify both the pix and the concentrator so that "interesting traffic" is now traffic between 80.63.x.x and the ftp server. (The ftp server can still be accessed with private addressing.

Did you got the idea?
Make it simple.

Bye



Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[heskia321]

Hi Yizhar
Firstly, thanks for the elaborate reply.

I have come back from a week of holidays, and have found that my colleague has asked the other party with the Cisco 3000 to use ezvpn in order not to mess with the existing setup.

We will give that a try tomorrow and see how we go, and if unsuccessful venture down your path and let you know.

Again thanks for the reply, and I do get your drift to use the outside address instead of the internal subnet.

\daniel heskia