Introduction
This document describes the steps used to translate (NAT) the VPN traffic from one end that travel over a LAN-to-LAN (L2L) IPsec tunnel between two security appliances and also PAT the Internet traffic. Each security appliance has a private protected network behind it.
The network 192.168.1.0 in PIX-A is translated to 172.18.1.0 network and send the VPN traffic through the IPsec tunnel. This type of translation at the VPN end point is useful to avoid the conflict of the same networks (Overlapping networks) behind the local and remote security appliances.
In L2L VPN, you can initiate the IPsec tunnel from either side of tunnel end points. In this scenario, PIX-A of inside network (192.168.1.0) is translated to 172.18.1.0 network using Policy NAT for VPN traffic. Because of this translation, the source network of the interesting traffic 172.18.1.0 is not reachable from PIX-B. If you try to initiate the tunnel from the PIX-B, the destination address of the VPN interesting traffic 172.18.1.0 , for example, natted network address of PIX-A, is not reachable. So you must initiate the VPN tunnel only from the PIX-A.
Prerequisites
Requirements
Ensure that you have configured the PIX Security Appliance with IP addresses on the interfaces and have basic connectivity before you proceed with this configuration example.
Components Used
The information in this document is based on these software and hardware versions:
-
Cisco PIX 500 Series Security Appliance runs with version 7.x and later
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Related Products
This configuration can also be used with Cisco 5500 Series Adaptive Security Appliance runs with software version 7.x and later.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Configure
In this section, you are presented with the information to configure the features described in this document.
Note: Use the Command Lookup Tool ( registered customers only) in order to obtain more information on the commands used in this section.
Network Diagram
This document uses this network setup:
Configurations
This document uses these configurations:
PIX-A |
---|
PIX-A#show running-config |
PIX-B |
---|
PIX-B#show running-config |
Verify
Use this section in order to confirm that your configuration works properly.
The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Use the OIT in order to view an analysis of show command output.
-
show crypto isakmp sa—Shows all current IKE Security Associations (SAs) at a peer.
-
show crypto ipsec sa—Shows the settings used by current SAs.
Sample
Show Commands from PIX-A
PIX-A#show crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 172.16.1.2
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
PIX-A#show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 20, local addr: 172.17.1.1
access-list new permit ip 172.18.1.0 255.255.255.0 10.1.0.0 255.255.255.0
local ident (addr/mask/prot/port): (172.18.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/0/0)
current_peer: 172.16.1.2
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.17.1.1, remote crypto endpt.: 172.16.1.2
path mtu 1500, ipsec overhead 76, media mtu 1500
current outbound spi: 95D66663
inbound esp sas:
spi: 0x9A4CB431 (2588718129)
transform: esp-aes-256 esp-sha-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4274999/28758)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x95D66663 (2513856099)
transform: esp-aes-256 esp-sha-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4274999/28756)
IV size: 16 bytes
replay detection support: Y
PIX-A#show nat
NAT policies on Interface inside:
match ip inside 192.168.1.0 255.255.255.0 outside 10.1.0.0 255.255.255.0
static translation to 172.18.1.0
translate_hits = 5, untranslate_hits = 5
PIX-A#show xlate
1 in use, 2 most used
Global 172.18.1.0 Local 192.168.1.0
Show Commands from PIX-B
PIX-B#show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 20, local addr: 172.16.1.2
access-list 102 permit ip 10.1.0.0 255.255.255.0 172.18.1.0 255.255.255.0
local ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.18.1.0/255.255.255.0/0/0)
current_peer: 172.17.1.1
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 14, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.1.2, remote crypto endpt.: 172.17.1.1
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 9A4CB431
inbound esp sas:
spi: 0x95D66663 (2513856099)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 16384, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3824998/28712)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x9A4CB431 (2588718129)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 16384, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3824998/28712)
IV size: 16 bytes
replay detection support: Y
PIX-B#show crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 172.17.1.1
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Troubleshoot
Clear Security Associations
When you troubleshoot, be sure to clear existing Security Associations after you make a change. In the privileged mode of the PIX, use these commands:
-
clear crypto ipsec sa—Deletes the active IPsec SAs.
-
clear crypto isakmp sa—Deletes the active IKE SAs.
Troubleshooting Commands
The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Use the OIT in order to view an analysis of show command output.
Note: Refer to Important Information on Debug Commands before you use debug commands.
-
debug crypto ipsec—Displays the IPsec negotiations of Phase 2.
-
debug crypto isakmp—Displays the ISAKMP negotiations of Phase 1.