Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: NAT and bypass NAT for IPSEC

from [Ercan Elibol] Network Security [Permanent Link]
Subject: Re: NAT and bypass NAT for IPSEC
Date: Sat, 1 Apr 2006 11:44:05 -0500 
Yes there is an dynamically assigned IP address for outside interface...


On 3/31/06, david.byrne@bt.com <david.byrne@bt.com> wrote:


 Hi Ee,

can you confirm you have an outside IP address to PAT to?

Dave

 ------------------------------
*From:* Ercan Elibol [mailto:ercanelibol@gmail.com]
*Sent:* 25 March 2006 19:24
*To:* firewalls@securityfocus.com

*Subject:* NAT and bypass NAT for IPSEC


 I wanted to have a NAT config and bypass NAT for VOIP using IPSEC
traffic, so I created a dhcp pool and and ACLs only for IPSEC. following
configuration is only working for VOIP phone. NAT  1 does not work. can
anyone see what is wrong?

thank you

Ee


PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100

access-list 101 permit ip host 10.168.20.17 10.168.10.0 255.255.255.128
access-list 101 permit ip host 10.168.20.17 10.168.17.0 255.255.255.0
access-list 101 permit ip host 10.168.20.17 10.168.11.0 255.255.255.0

ip address outside dhcp setroute
ip address inside 10.168.20.22 255.255.255.248

global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 10.168.20.18 255.255.255.255 0 0

sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 101
crypto map newmap 10 set peer 11.27.19.20
crypto map newmap 10 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key xx address 11.27.19.20 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000

console timeout 0
dhcpd address 10.168.20.17-10.168.20.21 inside
dhcpd dns 10.168.10.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd option 66 ascii 10.168.10.1
dhcpd option 150 ip 10.168.10.1 10.168.10.2
dhcpd enable inside
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Re: NAT and bypass NAT for IPSEC, Ercan Elibol <=
Previous by Date:  Re: [fw-wiz] Remote access VPN and Cisco PIX 515E connection problems, Aaron Rohyans
Next by Date:  RE: pix and transparent proxy, Meidinger Chris
Previous by Thread:  Re: [fw-wiz] Remote access VPN and Cisco PIX 515E connection problems, Aaron Rohyans
Next by Thread:  RE: pix and transparent proxy, Meidinger Chris
Indexes:  [Date] [Thread] [Top] [All Lists]