pix nat questions
- From: lfnetworking <_bill_@xxxxxxxxxxxxxxxxx>
- Date: Tue, 29 Nov 2005 04:12:19 GMT
checked these two docs out already, but, still no cigar.
objective: a)map inside 192.168.3.0/24 to 172.16.7.0/24 (net A)
b)build tunnel for traffic from 172.16.7.0/24 host 10.35.240.23(net B)
net A has a pix running 6.3(5) and net B, a vpn concentrator. ******************************************* pix cfg
crypto map * 10 ipsec-isakmp crypto map * 10 set peer * crypto map * 10 set transform-set 3des crypto map * 10 match address vpn
#using an acl that just tests tunnel from a host on net A, gets me past phase 1. Also, in this setup, I have a policy map nat acl to map a single address on the 192.168.3 net to a single address on the 172.16.7 net. and i'm not clear on whether i should be using a nat statement to policy map the vpn traffic or a static. i'm also not sure what if any of these blocks should be in the nat 0 statement.
#but if i use the acl i believe i eventually need... access-list vpn line 1 permit ip host 172.16.7.0 255.255.255.0 host 10.35.240.23
#i get, IPSEC(sa_initiate): ACL = deny; no sa created
pix(config)# sh crypto map
Crypto Map: "*" interfaces: { outside }Crypto Map "*" 10 ipsec-isakmp
Peer = *
access-list vpn; 1 elements
access-list vpn line 1 permit ip 172.16.7.0 255.255.255.0 host 10.35.240.23
Current peer: *
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ 3des, }
.
- Prev by Date: Aironet and EAP-FAST
- Next by Date: Re: NAT: address not stolen for
- Previous by thread: Aironet and EAP-FAST
- Next by thread: No routing after AD password change (PIX + IAS + PPTP VPN)
- Index(es):
Relevant Pages
|
|
