Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static and VPN on external interface

Hi,

Can anyone tell me if it is possible (and if so how) to have vpn enabled on the external interface and to have something like:

static (inside,outside) interface x.x.x.x

ie: I have two ip addresses - one for the router one for e0 on the pix. I create a static and access-lists to allow inbound http/https to the server inside but I also want to allow vpn to hit e0 and work. My configs work if I use a 3rd ip address for the static but not if they share. I can imagine that the static takes the vpn traffic before the pix can use it OR that maybe as the pix has no route out now (due to the static) that it cannot respond?

Hope I am makeing sense

Thanks for any time spent on this

cheers

Andy

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Static and VPN on external interface

I believe you want something like this:

static (inside,outside) tcp interface http 10.10.10.10 http netmask 255.255.255.255 0 0 (where 10.10.10.10 is your web server)

static (inside,outside) tcp interface https 10.10.10.10 https netmask 255.255.255.255 0 0

access-list 101 permit tcp any host x.x.x.x eq 80 (where x.x.x.x is your interface IP)

access-list 101 permit tcp any host x.x.x.x eq 443

access-group 101 in interface outside

Hope it helps.

Steve

2 REPLIES

Re: Static and VPN on external interface

I believe you want something like this:

static (inside,outside) tcp interface http 10.10.10.10 http netmask 255.255.255.255 0 0 (where 10.10.10.10 is your web server)

static (inside,outside) tcp interface https 10.10.10.10 https netmask 255.255.255.255 0 0

access-list 101 permit tcp any host x.x.x.x eq 80 (where x.x.x.x is your interface IP)

access-list 101 permit tcp any host x.x.x.x eq 443

access-group 101 in interface outside

Hope it helps.

Steve

New Member

Re: Static and VPN on external interface

Of course - that makes sense - I never thought to split it like that.

thanks again

Andy

162
Views
0
Helpful
2
Replies
CreatePlease login to create content