Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

IPSEC 1710 to Pix - Alias and Conduit effect

I'm trying to build a tunnel to our office in China.  Our site-to-site router is a 1710 and the target firewall is a Pix 5150.  I was able to successfully create the tunnel with an identical Pix router here in-house, but the main difference I am seeing is that the Pix at our China is employing an alias command and some conduits.  Seems like the outside interface IP is being translated internally to the Web server ip, so I am unsure as to whether it is effecting communication to our router on the outside.

Here is the code on the Pix router that I think may be effecting the connection:

alias (inside) 192.168.0.79 xxx.138.xxx.5 255.255.255.255

static (inside,outside) tcp xxx.138.xxx.5 ftp 192.168.0.2 ftp netmask 255.255.255.255 0 0

static (inside,outside) tcp xxx.138.xxx.5 25734 192.168.0.163 25734 netmask 255.255.255.255 0 0

static (inside,outside) tcp xxx.138.xxx.5 www 192.168.0.79 www netmask 255.255.255.255 0 0

static (inside,outside) tcp xxx.138.xxx.5 888 192.168.0.79 888 netmask 255.255.255.255 0 0

conduit permit tcp host xxx.138.xxx.5 eq ftp any

conduit permit tcp host xxx.138.xxx.5 eq www any

conduit permit tcp host xxx.138.xxx.5 eq 25734 any

conduit permit tcp host xxx.138.xxx.5 eq 888 any

conduit permit icmp any any

Will this effect an IPSEC tunnel?  If so, is there an entry I can make to allow a clear path of communication with between the site-to-site router and the PIX?

Thanks in advance!

1 REPLY

Re: IPSEC 1710 to Pix - Alias and Conduit effect

Your Alias command is applied to "inside" interface. It looks like just for changing DNS response for your internal Web Server from global IP to local IP so that the internal user would use internal IP to access this web server.

Conduit commands just permits the incoming traffic which are related to those static NATs.

So, both should not impact your VPN traffic. Just remember to add "sysopt connection permit-ipsec" to let your IPSec traffic in.

Since your China PIX is running a old cold, I would suggest you to run a testing in the lab before the implementation.

HTH

193
Views
0
Helpful
1
Replies
CreatePlease to create content