Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Configuring VPN for a server that is also accessible from the Internet

Not sure if someone has already posted this question before, if so please refer me to the link.

I am trying to configure a server to initiate a VPN tunnel to a remote server and at the same time allow the server to accessible from the Internet. The problem is that once i configure static translation for the server 192.168.11.193, the VPN doesn't want to work. Please advice cause i am not very sure of the characteristic of PIX VPN.

The following is the configuration:

access-list 101 permit ip 192.168.11.0 255.255.255.0 192.100.86.0 255.255.255.0

access-list nonat permit ip 192.168.11.0 255.255.255.0 192.100.86.0 255.255.255.0

access-list 100 permit icmp any any

access-list 100 permit ip any host aa.aa.124.165 eq ssh

ip address outside aa.aa.124.164 255.255.255.0

ip address inside 192.168.11.1 255.255.255.0

static (inside,outside) aa.aa.124.165 192.168.11.193 255.255.255.255

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 cc.cc.124.1 1

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set cp-digi esp-3des esp-md5-hmac

crypto map peer-1 1 ipsec-isakmp

crypto map peer-1 1 match address 101

crypto map peer-1 1 set peer xx.xx.128.195

crypto map peer-1 1 set transform-set cp-digi

crypto map peer-1 interface outside

isakmp enable outside

isakmp key XXXXXX address xx.xx.128.195 netmask 255.255.255.255

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

Thanks,

3 REPLIES
Community Member

Re: Configuring VPN for a server that is also accessible from th

I don't think this is possible on the pix, Hve you tried it with any other firewall before??

Cisco Employee

Re: Configuring VPN for a server that is also accessible from th

What is the config of the ipsec peer of this pix. It would be best to run debugs on the pix as in:

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

To see where it is failing, and if somehow the peer's ip address is different.

Community Member

Re: Configuring VPN for a server that is also accessible from th

Cris,

The peer is a Checkpoint Firewall. The VPN works when the STATIC command is not configured. Once I configured the translation for the server, the VPN cease to initialise. Is there any sample configuration or documentation with this kind of setup. I have search through Cisco web site but to no avail. I'll advice the customer to capture a debug log for this.

Thanks

87
Views
0
Helpful
3
Replies
CreatePlease to create content