Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Shaun E on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Static thru VPN

Status
Not open for further replies.
BADSBRD

BADSBRD

IS-IT--Management
Dec 26, 2003
34
US
Here is my scenario.... I am trying to host a website from home, but using works IP addresses. I have a Cisco VPN up from home to work, and I can see the site, and server from work. I cannot see the site from the web....My home network is 192.168.107.x, and works is 10.1.x.x. I thought since I can ping my server from the pix I would be able to map to it.

Here are the lines I added to the PIX to try to make it work:

access-list 100 permit icmp any any
access-list 100 permit tcp any host 198.x.x.50 eq www
access-list 100 permit tcp any host 198.x.x.50 eq https
access-list 100 permit tcp any host 198.x.x.50 eq smtp
access-list 100 permit tcp any host 198.x.x.50 eq pop3
access-list 100 permit tcp any host 198.x.x.50 eq domain

static (inside,outside) 198.x.x.50 192.168.107.5 netmask 255.255.255.255 0 0

route inside 192.168.107.0 255.255.255.0 10.1.1.101 1

What am I missing??

Rick
 
Sort by date Sort by votes
If your VPN terminates on PIX at work, and if that same work PIX is also the device that you are trying to set the static up on, the answer you can not do it. The PIX can not route. You are asking it to accept traffic at the external interface and send it back out the same interface in a tunnel. The PIX can not send traffic out the same interface that it came in on. (VLANs I believe being an exception.)

If the VPN is separate from the PIX, the problem might be that your server at 192.168.107.5 has different default route to the internet (as in it goes out your home firewall directly) and the thus the client sees return traffic coming from a different address than it was expecting, and is tossed aside.
 
Upvote 0 Downvote
My VPN uses a Cisco 831 at home connecting to a Cisco VPN 3000 Concentrator via IPSEC.

Our main router inside is 10.1.1.101, and the VPN is 10.1.1.102.

I just tried setting my GW to 10.1.1.101 (inside router), and also to 10.1.1.1 inside PIX) and I still cannot connect to the server from the outside
 
Upvote 0 Downvote
What is the default route on the 3000? Is your return traffic from your VPN going to the PIX, or back out the external interface? If the concentator has its default rout pointing externally then on the PIX you might need to use reverse nat or whatever they call it to NAT the source address with the firewalls inside address, so that your return traffic from the VPN makes it to the PIX

Have you tried figuring out where the traffic is getting misplaced? On the 3000 look at your VPN connection stats while pinging your server. Do you see transmit and receive incrementing? Further isolate with a "debug icmp trace" on your PIX and/or make and use an appropriate access list on your 831.





 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
1K
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
880
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
373
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
1K
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
310
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top