Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX Setup Question

Hi,

Is there anything wrong with this setup. I have two legal ip addresses. One for the router and one for the external int of the pix. I need to have a nat 1 command for the entire internal network (this is not used yet but is setup). I need a static for the mail/www server "static (inside,outside) interface 10.0.0.2" so to speak. I need to allow in www,443 and 25 to this interface. I also need to allow microsoft vpn and cisco vpn. I have realised that I cannot create the above static as it stops the vpn from working so I have created 3 "static (inside,outside) interface 25 10.0.0.2 25" commands and then bound the access-list to the external interface. It all works but I am finding that internet on the desktops (that is via the proxy server 10.0.0.2) is seeming to hang every now and again - you can browse into a web page to about 4 layers and then nothing happens. If you close and reopen IE it works fine again.

Im pretty sure the clients are ok as this setup was just a static for the 10.0.0.2 machine (no vpn, nat and inbound ports) before and all worked fine,

I would appreciate any idea's anyone has

Thanks for your time

Andy.

2 REPLIES
Silver

Re: PIX Setup Question

static forwarding should not stop the vpn from working. What precisely is the static command you are trying to use?

Is sounds like the proxy server might have a problem, or perhaps your bandwidth utilization is high. PIXen really don't get involved in http traffic unless you have websense/n2h2 filtering enabled, or have java/activex blocking. Have you checked your connection counts on the pix? What model do you have? How many users use the proxy server?

New Member

Re: PIX Setup Question

I have:

nat (inside)1 10.0.0.0 255.255.0.0

global (outside) 1 interface

static (inside,outside) 1.1.1.1 25 10.0.0.2 25

static (inside,outside) 1.1.1.1 80 10.0.0.2 80

static (inside,outside) 1.1.1.1 443 10.0.0.2 443

access-list 101 permit tcp any host 1.1.1.1 eq smtp

access-list 101 permit tcp any host 1.1.1.1 eq http

access-list 101 permit tcp any host 1.1.1.1 eq 443

access-group 101 in interface outside

plus settings to allow pptp and cisco client to connect on 1.1.1.1

It all works including the vpn (apologies if I have written it down wrong as its from the top of my head but you get the idea) I was just wondering whether there was something strange happening with the nat command maybe?

The problem is just www browsing appears to timeout or something?

Thanks for your reply,

cheers

Andy

94
Views
0
Helpful
2
Replies
CreatePlease login to create content