Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

IPSEC 1710 to Pix - Alias and Conduit effect

I'm trying to build a tunnel to our office in China.  Our site-to-site router is a 1710 and the target firewall is a Pix 5150.  I was able to successfully create the tunnel with an identical Pix router here in-house, but the main difference I am seeing is that the Pix at our China is employing an alias command and some conduits.  Seems like the outside interface IP is being translated internally to the Web server ip, so I am unsure as to whether it is effecting communication to our router on the outside.

Here is the code on the Pix router that I think may be effecting the connection:

alias (inside)

static (inside,outside) tcp ftp ftp netmask 0 0

static (inside,outside) tcp 25734 25734 netmask 0 0

static (inside,outside) tcp www www netmask 0 0

static (inside,outside) tcp 888 888 netmask 0 0

conduit permit tcp host eq ftp any

conduit permit tcp host eq www any

conduit permit tcp host eq 25734 any

conduit permit tcp host eq 888 any

conduit permit icmp any any

Will this effect an IPSEC tunnel?  If so, is there an entry I can make to allow a clear path of communication with between the site-to-site router and the PIX?

Thanks in advance!


Re: IPSEC 1710 to Pix - Alias and Conduit effect

Your Alias command is applied to "inside" interface. It looks like just for changing DNS response for your internal Web Server from global IP to local IP so that the internal user would use internal IP to access this web server.

Conduit commands just permits the incoming traffic which are related to those static NATs.

So, both should not impact your VPN traffic. Just remember to add "sysopt connection permit-ipsec" to let your IPSec traffic in.

Since your China PIX is running a old cold, I would suggest you to run a testing in the lab before the implementation.


CreatePlease to create content