Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
288
Views
0
Helpful
3
Replies

Configuring VPN for a server that is also accessible from the Internet

philipmusa
Level 1
Level 1

‎11-02-2003 07:04 PM - edited ‎02-21-2020 12:51 PM

Not sure if someone has already posted this question before, if so please refer me to the link.

I am trying to configure a server to initiate a VPN tunnel to a remote server and at the same time allow the server to accessible from the Internet. The problem is that once i configure static translation for the server 192.168.11.193, the VPN doesn't want to work. Please advice cause i am not very sure of the characteristic of PIX VPN.

The following is the configuration:

access-list 101 permit ip 192.168.11.0 255.255.255.0 192.100.86.0 255.255.255.0

access-list nonat permit ip 192.168.11.0 255.255.255.0 192.100.86.0 255.255.255.0

access-list 100 permit icmp any any

access-list 100 permit ip any host aa.aa.124.165 eq ssh

ip address outside aa.aa.124.164 255.255.255.0

ip address inside 192.168.11.1 255.255.255.0

static (inside,outside) aa.aa.124.165 192.168.11.193 255.255.255.255

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 cc.cc.124.1 1

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set cp-digi esp-3des esp-md5-hmac

crypto map peer-1 1 ipsec-isakmp

crypto map peer-1 1 match address 101

crypto map peer-1 1 set peer xx.xx.128.195

crypto map peer-1 1 set transform-set cp-digi

crypto map peer-1 interface outside

isakmp enable outside

isakmp key XXXXXX address xx.xx.128.195 netmask 255.255.255.255

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

Thanks,

Labels:
0 Helpful
3 Replies 3

j-block
Level 4
Level 4

‎11-06-2003 08:22 AM

I don't think this is possible on the pix, Hve you tried it with any other firewall before??

0 Helpful

cjacinto
Cisco Employee
Cisco Employee

‎11-08-2003 02:05 AM

What is the config of the ipsec peer of this pix. It would be best to run debugs on the pix as in:

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

To see where it is failing, and if somehow the peer's ip address is different.

0 Helpful

philipmusa
Level 1
Level 1
In response to cjacinto

‎11-10-2003 05:24 PM

Cris,

The peer is a Checkpoint Firewall. The VPN works when the STATIC command is not configured. Once I configured the translation for the server, the VPN cease to initialise. Is there any sample configuration or documentation with this kind of setup. I have search through Cisco web site but to no avail. I'll advice the customer to capture a debug log for this.

Thanks

0 Helpful
Customers Also Viewed These Support Documents