Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

who can help (pix+nat 0+ vpn 4interfaces)

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

We have six interfaces on pix

inside to outside =>nat 0

inside to dmz1 =>nat 0

inside to dmz2 => nat 3

dmz1 to internat => nat 0

When dialup VPN from internet to inside and ping dmz1 then dmz1 server will reply once and timeout and can't use any service on dmz1. But inside to dmz1 is ok

others question : when dial vpn to pix and it will work on outside interface or ....

-- config --

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ1 security70

nameif ethernet3 dmz2 security10

nameif ethernet4 intf4 security20

nameif ethernet5 failover security25

access-list acl_outside permit icmp any any

access-list acl_outside permit tcp any host lnksmtp eq smtp

access-list acl_outside permit tcp any host www eq www

access-list acl_outside permit tcp any host www1 eq www

access-list acl_outside permit udp any host dns eq domain

access-list acl_outside permit tcp any host adm eq pop3

access-list acl_outside permit ip any host lib

access-list acl_outside permit tcp any host adm eq smtp

access-list acl_outside permit tcp any host adm eq www

access-list acl_outside permit ip any host libe9

access-list acl_outside permit ip any host mri1

access-list acl_outside permit ip any host lib2

access-list acl_outside permit tcp any host dns eq telnet

access-list acl_outside permit ip any host video

access-list acl_inside permit icmp any any

access-list acl_inside deny ip 10.30.99.0 255.255.255.0 any

access-list acl_inside permit ip any any

access-list acl_dmz1 permit icmp any any

access-list acl_dmz1 permit ip any any

access-list acl_dmz2 permit icmp any any

access-list acl_dmz2 permit ip 10.0.0.0 255.0.0.0 10.253.253.0 55.255.255.0

access-list nat_outside permit ip 10.0.0.0 255.0.0.0 any

global (dmz2) 3 10.242.6.99

nat (inside) 0 access-list nat_outside outside

nat (inside) 3 10.0.0.0 255.0.0.0 0 0

nat (DMZ1) 0 access-list nat_outside outside

static (DMZ1,outside) 10.30.99.0 10.30.99.0 netmask 255.255.255.0 0 0

static (inside,DMZ1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

static (inside,DMZ1) nnn.nn.n.0 nnn.nn.n.0 netmask 255.255.0.0 0 0

crypto ipsec transform-set c-des-md5 esp-des esp-md5-hmac

crypto dynamic-map cg 10 set transform-set c-des-md5

crypto map cgpeer 10 ipsec-isakmp dynamic cg

crypto map cgpeer client authentication ACS31

crypto map cgpeer interface outside

isakmp enable outside

isakmp client configuration address-pool local lk outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup lk address-pool ll

vpngroup lk dns-server 10.30.11.2

vpngroup lk wins-server 10.30.11.3

vpngroup lk idle-time 1800

vpngroup lk password ********

2 REPLIES
Silver

Re: who can help (pix+nat 0+ vpn 4interfaces)

Please post the following information:

VPN client type (Win2k, VPN3000, ...etc)

The "sysopt connection permit-ipsec" "sysopt route dnat" settings

The clients ip pool addresses

PIX route statements

Thanks,

Mustafa

New Member

Re: who can help (pix+nat 0+ vpn 4interfaces)

Hi Mustafa

1.Our VPN client is Win2k

2.setting

no sysopt security fragguard

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt uauth allow-http-cache

sysopt connection permit-ipsec

no sysopt connection permit-pptp

no sysopt connection permit-l2tp

no sysopt ipsec pl-compatible

no sysopt route dnat

lk-pix525# sh route

outside 0.0.0.0 0.0.0.0 192.168.3.254 1 OTHER static

failover 1.1.1.0 255.255.255.0 1.1.1.1 1 CONNECT static

inside 10.0.0.0 255.0.0.0 10.30.5.254 1 OTHER static

inside 10.30.5.0 255.255.255.0 10.30.5.11 1 CONNECT static

DMZ1 10.30.99.0 255.255.255.0 10.30.99.254 1 CONNECT static

dmz2 10.242.6.96 255.255.255.240 10.242.6.97 1 CONNECT static

dmz2 10.253.253.0 255.255.255.0 10.242.6.110 1 OTHER static

intf4 127.0.0.1 255.255.255.255 127.0.0.1 1 CONNECT static

inside 163.25.90.0 255.255.254.0 10.30.5.254 1 OTHER static

inside 163.25.92.0 255.255.252.0 10.30.5.254 1 OTHER static

inside 163.25.96.0 255.255.252.0 10.30.5.254 1 OTHER static

inside 163.25.100.0 255.255.255.0 10.30.5.254 1 OTHER static

inside 163.25.101.0 255.255.255.0 10.30.5.254 1 OTHER static

inside 163.25.114.0 255.255.254.0 10.30.5.254 1 OTHER static

inside 163.25.116.0 255.255.254.0 10.30.5.254 1 OTHER static

outside 192.168.3.0 255.255.255.0 192.168.3.253 1 CONNECT static

ip pool is 10.30.99.20 ~220

Thanks,

Richard_liu

85
Views
0
Helpful
2
Replies
CreatePlease login to create content