11-02-2003 07:04 PM - edited 02-21-2020 12:51 PM
Not sure if someone has already posted this question before, if so please refer me to the link.
I am trying to configure a server to initiate a VPN tunnel to a remote server and at the same time allow the server to accessible from the Internet. The problem is that once i configure static translation for the server 192.168.11.193, the VPN doesn't want to work. Please advice cause i am not very sure of the characteristic of PIX VPN.
The following is the configuration:
access-list 101 permit ip 192.168.11.0 255.255.255.0 192.100.86.0 255.255.255.0
access-list nonat permit ip 192.168.11.0 255.255.255.0 192.100.86.0 255.255.255.0
access-list 100 permit icmp any any
access-list 100 permit ip any host aa.aa.124.165 eq ssh
ip address outside aa.aa.124.164 255.255.255.0
ip address inside 192.168.11.1 255.255.255.0
static (inside,outside) aa.aa.124.165 192.168.11.193 255.255.255.255
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 cc.cc.124.1 1
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set cp-digi esp-3des esp-md5-hmac
crypto map peer-1 1 ipsec-isakmp
crypto map peer-1 1 match address 101
crypto map peer-1 1 set peer xx.xx.128.195
crypto map peer-1 1 set transform-set cp-digi
crypto map peer-1 interface outside
isakmp enable outside
isakmp key XXXXXX address xx.xx.128.195 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
Thanks,
11-06-2003 08:22 AM
I don't think this is possible on the pix, Hve you tried it with any other firewall before??
11-08-2003 02:05 AM
What is the config of the ipsec peer of this pix. It would be best to run debugs on the pix as in:
http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml
To see where it is failing, and if somehow the peer's ip address is different.
11-10-2003 05:24 PM
Cris,
The peer is a Checkpoint Firewall. The VPN works when the STATIC command is not configured. Once I configured the translation for the server, the VPN cease to initialise. Is there any sample configuration or documentation with this kind of setup. I have search through Cisco web site but to no avail. I'll advice the customer to capture a debug log for this.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide