×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Configuring VPN for a server that is also accessible from the Internet

Unanswered Question
Nov 2nd, 2003
User Badges:

Not sure if someone has already posted this question before, if so please refer me to the link.


I am trying to configure a server to initiate a VPN tunnel to a remote server and at the same time allow the server to accessible from the Internet. The problem is that once i configure static translation for the server 192.168.11.193, the VPN doesn't want to work. Please advice cause i am not very sure of the characteristic of PIX VPN.



The following is the configuration:


access-list 101 permit ip 192.168.11.0 255.255.255.0 192.100.86.0 255.255.255.0

access-list nonat permit ip 192.168.11.0 255.255.255.0 192.100.86.0 255.255.255.0

access-list 100 permit icmp any any

access-list 100 permit ip any host aa.aa.124.165 eq ssh

ip address outside aa.aa.124.164 255.255.255.0

ip address inside 192.168.11.1 255.255.255.0

static (inside,outside) aa.aa.124.165 192.168.11.193 255.255.255.255

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 cc.cc.124.1 1

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set cp-digi esp-3des esp-md5-hmac

crypto map peer-1 1 ipsec-isakmp

crypto map peer-1 1 match address 101

crypto map peer-1 1 set peer xx.xx.128.195

crypto map peer-1 1 set transform-set cp-digi

crypto map peer-1 interface outside

isakmp enable outside

isakmp key XXXXXX address xx.xx.128.195 netmask 255.255.255.255

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400


Thanks,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
j-block Thu, 11/06/2003 - 08:22
User Badges:

I don't think this is possible on the pix, Hve you tried it with any other firewall before??

philipmusa Mon, 11/10/2003 - 17:24
User Badges:

Cris,

The peer is a Checkpoint Firewall. The VPN works when the STATIC command is not configured. Once I configured the translation for the server, the VPN cease to initialise. Is there any sample configuration or documentation with this kind of setup. I have search through Cisco web site but to no avail. I'll advice the customer to capture a debug log for this.


Thanks

Actions

This Discussion