Hi Guys, would really appreciate some help with this one.
I have the following network topology:
Internet -- PIX 506 -- Cisco 2611 -- Network
At one of our sites we are implementing a VPN to a bank. The bank has installed a Cisco 2611 on the internal side of the PIX. The internal address of the router is simply 192.168.1.253. This has been configured with the address of the PIX as the gateway. A static route has been set up on the client PCs to direct traffic destined to the VPN address through the 2611. This then brings up the IPsec connection to the bank. The bank can see the VPN being established but the traffic is not getting back through the PIX to the 2611.
We are using static NAT so that the PIX changes the source address of the router to a routable address, and on return traffic statically translates the routable address back to the 2611. This seems to be causing the problem. The PIX config lines are:
static (inside,outside) 2xx.xx.xx.189 192.168.1.253 netmask 255.255.255.255 0 0
static (outside,inside) 192.168.1.253 2xx.xx.xx.189 netmask 255.255.255.255 0 0
I have access lists defined below:
access-list 101 permit tcp host xxx.xxx.xxx.182 host 2xx.xx.xx.189 eq 50
access-list 101 permit tcp host xxx.xxx.xxx.182 host 2xx.xx.xx.189 eq 51
access-list 101 permit udp host xxx.xxx.xx.182 host 2xx.xx.xx.189 eq isakmp
The first address in the line is the bank's address and the second address is the address that the pix is giving to the packets generated by the 2611.
The bank have got this working this way through a Checkpoint firewall, but never tried on a pix.
The VPN is then established through a browser on address 192.168.*.*. At the moment though it just times out.
Pix is using IOS 6.3 to allow outside NAT
Does anyone have any ideas about this. Is the theory correct? Also do I need any nat statements?
Or has anyone got any good ideas on how to achieve this another way?
Cheers
Kirby
I have the following network topology:
Internet -- PIX 506 -- Cisco 2611 -- Network
At one of our sites we are implementing a VPN to a bank. The bank has installed a Cisco 2611 on the internal side of the PIX. The internal address of the router is simply 192.168.1.253. This has been configured with the address of the PIX as the gateway. A static route has been set up on the client PCs to direct traffic destined to the VPN address through the 2611. This then brings up the IPsec connection to the bank. The bank can see the VPN being established but the traffic is not getting back through the PIX to the 2611.
We are using static NAT so that the PIX changes the source address of the router to a routable address, and on return traffic statically translates the routable address back to the 2611. This seems to be causing the problem. The PIX config lines are:
static (inside,outside) 2xx.xx.xx.189 192.168.1.253 netmask 255.255.255.255 0 0
static (outside,inside) 192.168.1.253 2xx.xx.xx.189 netmask 255.255.255.255 0 0
I have access lists defined below:
access-list 101 permit tcp host xxx.xxx.xxx.182 host 2xx.xx.xx.189 eq 50
access-list 101 permit tcp host xxx.xxx.xxx.182 host 2xx.xx.xx.189 eq 51
access-list 101 permit udp host xxx.xxx.xx.182 host 2xx.xx.xx.189 eq isakmp
The first address in the line is the bank's address and the second address is the address that the pix is giving to the packets generated by the 2611.
The bank have got this working this way through a Checkpoint firewall, but never tried on a pix.
The VPN is then established through a browser on address 192.168.*.*. At the moment though it just times out.
Pix is using IOS 6.3 to allow outside NAT
Does anyone have any ideas about this. Is the theory correct? Also do I need any nat statements?
Or has anyone got any good ideas on how to achieve this another way?
Cheers
Kirby