Cisco IPSec/NAT problem: invalid local address

Wed, 12 Dec 2001 08:08:37 -0800 

Hi, 

[thanks to Dan, Willie and Dirk for some helpful comments on my earlier 
Pix NAT/PAT problem.  Different Pix, different problem now..]

I'm trying to setup a site-to-site VPN with two Cisco 2621 Routers and 
two Pixen.  Both 2621's have a VPN accelerator card, so these should do 
the VPN encapsulation.  There is a Pix between the 2621 and the public 
Internet on both sides.  Looks roughly like this:

SiteA --- 2621VPN --- Pix515 --- INET --- Pix506 --- 2621VPN --- SiteB

Both SiteA and SiteB use RFC1918 addresses, so the Pixen do NAT.  Let's 
assume the VPN config is correct for a moment.  I seem to be running into 
IPSec/NAT problems with this setup.

To illustrate, here's the same ASCII art with IP addresses:

[SiteA] 
 |
 |    10.0.0.0/24
 |
[2621VPN]
 | .2
 |    172.16.0.0/30
 | .1
[Pix515] outbound NAT/PAT, also has static x.x.0.19 -> 172.16.0.2 for VPN
 | .16
 |    x.x.0.0/24
 | .1
INTERNET
 | .1
 |    x.x.1.0/24
 | .32
[Pix506] outbound NAT/PAT, also has static x.x.1.34 -> 172.16.1.2 for VPN
 | .1
 |    172.16.1.0/30
 | .2
[2621VPN]
 |
 |    10.0.1.0/24
 |
[SiteB]

As the Pixen do NAT, I have to create static NAT entries so the "real" VPN 
peers (172.16.0.2 and 172.16.1.2) can reach each other using x.x.0.19 and 
x.x.1.34.

This does not work.  In debug mode on the 172.16.0.2 VPN router, I see an 
error message like "invalid local address 172.16.0.2".  I assume this is 
because I (obviously) needed to configure the registered x.x.0.19 and 
x.x.1.34 addresses for the VPN peers instead of the real 172.16.* addresses.  

Does this explain the "invalid local address" error message?  Any hints on 
how to deal with the IPSec/NAT issue?  I know I can do IPSec on the Pixen, 
but these Routers already have VPN accelerator cards, so they should handle 
the VPN stuff.

What do you think about simply swapping Router and Pix at each side of the 
diagram?  (like internal -> Pix -> 2621VPN -> Internet)


thanks for your help,
chakl
--
Olaf Schreck - [EMAIL PROTECTED] - Syscall Network Solutions AG, Berlin
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls

Reply via email to