Re: Pix 501 Tunnelling problem

From: "SAto" <anders.lastad@xxxxxxxxx>
Date: 22 Aug 2006 07:01:26 -0700

James skrev:

access-list no-nat deny tcp host 10.0.0.2 host 1.1.2.2 eq smtp
access-list no-nat permit ip 10.0.0.0 255.255.255.0 1.1.2.0
255.255.255.0

You may also need to add the deny rule to your Crypto Access-List
otherwise the PIX will still try to send the packets over the VPN.

This is excatly what I've done, I can se the pix create a nat entry for
it in the sh xlate table
but the packet never exits the outside interface. I use capture on the
outside interface to see traffic. I'm thinking maybe the deny statement
in the crypto access list is forcing the pix to drop the packet?

Surprisingly enough editing the crypto map on my side doesn't break the
tunnel.

access-list inside_outbound_nat0_acl deny ip host 10.0.0.2 host 1.1.2.2
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0
1.1.2.0 255.255.255.0
access-list outside_cryptomap_20 deny ip host 10.0.0.2 host 1.1.2.2
access-list outside_cryptomap_20 permit ip 10.0.0.0 255.255.255.0
1.1.2.0 255.255.255.0

Maybe the 10.0.0.0/24 <-> 1.1.2.0/24 mapping on both ends match so that
the VPN doesnt break, I would expect it to break if I changed it to
several smaller subnets to exclude the mail server that way though.

This may not be possible to accomplish at all.
Is it possible to put a route map on the incoming interface sending the
packet out the outside interface instead? I could create the route map
but didn't find a way to put it on the interface. Don't know the
correct pix 6.3 syntax.

-SAto

.

Follow-Ups:
- Re: Pix 501 Tunnelling problem
  - From: James
- Re: Pix 501 Tunnelling problem
  - From: James

References:
- Pix 501 Tunnelling problem
  - From: SAto
- Re: Pix 501 Tunnelling problem
  - From: James

Prev by Date: Re: SSH Question
Next by Date: Re: Minor Problem with remote access VPN
Previous by thread: Re: Pix 501 Tunnelling problem
Next by thread: Re: Pix 501 Tunnelling problem
Index(es):
- Date
- Thread

Relevant Pages

Re: Pix 501 Tunnelling problem
... You may also need to add the deny rule to your Crypto Access-List ... otherwise the PIX will still try to send the packets over the VPN. ... but the packet never exits the outside interface. ...
(comp.dcom.sys.cisco)
Re: [fw-wiz] full IPSEC tunnels on PIX and NAT ...
... For one thing, the PIX can not route out through the same interface, the ... packet comes into the device. ... if your VPNs terminate on the outside ...
(Firewall-Wizards)
Re: ISA 2004 Routing
... goes from the interface where you receive the packet to the interface on ... your network where you want the packet to go. ... > connected to my PIX. ... > I have one NIC setup in the 192.168.1.0 subnet and another NIC setup on ...
(microsoft.public.isaserver)
Re: PIX7.x/ASA and icmp redirects
... I'm not certain, but for the PIX at least, I would find it quite ... go with support for ICMP Redirect require that the packet be ... packet through provided that at least one component of the path ... that went back out on the interface. ...
(comp.dcom.sys.cisco)
Re: Interesting problem with pix 515 UR
... Consider diabling Proxy arp on inside interface. ... This pix have only 2 ethernet interfaces; i have connected the ethernet0via a cross cable ... fixup protocol dns maximum-length 512 ... ntp server 194.100.206.70 source outside ...
(comp.dcom.sys.cisco)