Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations MikeeOK on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
NO VPN outbound to another PIX
- Thread starter br0ck
- Start date
HI.
You are trying to VPN from a client behind your pix, to another pix device out there, right?
This will not work with PAT, but can work with NAT if you have enough addresses, or you'll need to map STATIC addresses to each vpn client.
In any case, you'll need some registered addresses.
Another option, if you have latest pix OS 6.2x and PDM 2.x, you can try to use the pix itself as VPN client configuring it with the new "Easy VPN" client option (I did not try it myself yet).
Bye
Yizhar Hurwitz
You are trying to VPN from a client behind your pix, to another pix device out there, right?
This will not work with PAT, but can work with NAT if you have enough addresses, or you'll need to map STATIC addresses to each vpn client.
In any case, you'll need some registered addresses.
Another option, if you have latest pix OS 6.2x and PDM 2.x, you can try to use the pix itself as VPN client configuring it with the new "Easy VPN" client option (I did not try it myself yet).
Bye
Yizhar Hurwitz
- Thread starter
- #3
I have a range of public ip's that i can use
could you explain how the proper way to set up the statics?
i am runing 6.2(2) and i have never herd of the "easy VPN" do you know of any doc's on this??
thanks for your help Brock D. Mowry,MCP
Hardware Specialist
iNECTA LLC
Miami, Fl
could you explain how the proper way to set up the statics?
i am runing 6.2(2) and i have never herd of the "easy VPN" do you know of any doc's on this??
thanks for your help Brock D. Mowry,MCP
Hardware Specialist
iNECTA LLC
Miami, Fl
HI.
For internal clients to be able to VPN outbound, you can create a STATIC with an unused registered ip, the same way you configure a STATIC for internal server.
The "Easy VPN" option is new to all of us.
In general - the pix will act as a proxy VPN client so you won't need to install and establish VPN at the clients. The "VPN server" can be another pix.
You can find a short description in the PDM html help.
You can search for more details in Cisco web site. (search also for the new "vpnclient" pix command).
Bye
Yizhar Hurwitz
For internal clients to be able to VPN outbound, you can create a STATIC with an unused registered ip, the same way you configure a STATIC for internal server.
The "Easy VPN" option is new to all of us.
In general - the pix will act as a proxy VPN client so you won't need to install and establish VPN at the clients. The "VPN server" can be another pix.
You can find a short description in the PDM html help.
You can search for more details in Cisco web site. (search also for the new "vpnclient" pix command).
Bye
Yizhar Hurwitz
Guest_imported
New member
- Jan 1, 1970
- 0
I am trying to permit an ip address to telnet my server from the internet, which is behind a cisco firewall but I am not permitted. My mail goes out and comes in without a problem. I am including some sample configuration for the firewall setup;
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
no names
pager lines 24
no logging on
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 192.168.10.2 255.255.255.0
ip address inside 192.168.101.199 255.255.255.0
arp timeout 14400
global (outside) 1 192.168.10.1
global (outside) 1 192.168.10.5-192.168.10.200 netmask 255.255.255.0
nat (inside) 1 192.168.101.0 255.255.255.0 0 0
static (inside,outside) 192.168.10.3 192.168.101.10 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.10.4 192.168.101.200 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 192.168.10.3 eq smtp any
conduit permit tcp host 192.168.10.4 eq ftp-data any
conduit permit udp host 192.168.10.4 eq 20 any
conduit permit tcp host 192.168.10.4 eq ftp any
conduit permit udp host 192.168.10.4 eq 21 any
conduit permit tcp host 192.168.10.4 eq telnet any
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
no names
pager lines 24
no logging on
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 192.168.10.2 255.255.255.0
ip address inside 192.168.101.199 255.255.255.0
arp timeout 14400
global (outside) 1 192.168.10.1
global (outside) 1 192.168.10.5-192.168.10.200 netmask 255.255.255.0
nat (inside) 1 192.168.101.0 255.255.255.0 0 0
static (inside,outside) 192.168.10.3 192.168.101.10 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.10.4 192.168.101.200 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 192.168.10.3 eq smtp any
conduit permit tcp host 192.168.10.4 eq ftp-data any
conduit permit udp host 192.168.10.4 eq 20 any
conduit permit tcp host 192.168.10.4 eq ftp any
conduit permit udp host 192.168.10.4 eq 21 any
conduit permit tcp host 192.168.10.4 eq telnet any
- Status
Similar threads
- Locked
- Question
- Locked
- Question
