I know sometimes global (outside) 1 interface does not work. Make sure you have correct PIX IOS version. Or just upgrade to diff PIX software version. 5.2(5) should be good choice.
Hare are the edited version of working config. access-list 100 permit ip 10.5.1.0 255.255.255.0 10.5.0.0 255.255.255.0 access-list 110 permit ip 10.5.1.0 255.255.255.0 10.5.0.0 255.255.255.0 access-list acl_out permit icmp any any interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 128.32.5.98 255.255.255.0 ip address inside 10.5.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 100 nat (inside) 1 10.5.1.0 255.255.255.0 0 0 access-group acl_out in interface outside route outside 0.0.0.0 0.0.0.0 128.32.5.97 1 no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set standard esp-des esp-md5-hmac crypto map peer_map 10 ipsec-isakmp crypto map peer_map 10 match address 110 crypto map peer_map 10 set peer 128.32.19.194 crypto map peer_map 10 set transform-set standard isakmp enable outside isakmp key 123456 address 128.32.19.194 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 3600 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 23, 2001 11:02 PM To: [EMAIL PROTECTED] Subject: RE: PIX with PAT and VPN [7:23490] I got the same access-lists on both sides and they have been verified by other people. I know this will not take me down. If you can e-mail me the config it would be great! I would like to see how it works in real life. So far 2 ISPs have failed to give me a working config. Everything is theoritical and promises but it doesn't work like Checkpoint. What I am fearing is that it is the command "Global (outside) 1 interface), that is giving me the grief. I think that I will need another IP address for PAT instead of using the same IP for the interface and PAT. In your response, you said that the negociation is between (an) public IP address. Yes this is true, but what if it is the same as the interface? So far I have only seen this work with a pool a public IPs.Hansraj Patil wrote: > > I have seen this working. You have to use > > nat (inside) 0 access-list 101. > > The IPSec & IKE negotiation is between public IP address. So > the question of > port limitation > does not arise. The internal IP addresses are not involved in > IPSec > negotiation. > You use above statement to avoid routing problem between two > LAN segments. > > Just make sure access-list is mirror image on both peers. > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Monday, October 22, 2001 1:41 AM > To: [EMAIL PROTECTED] > Subject: Re: PIX with PAT and VPN [7:23490] > > > I tried this and it did not work. When IPSEC negociates a VPN > session > between the two PIX's, it will PAT an internal device from > Network A as > 206.112.71.5 and use 206.112.71.5:500 for the negociation. > Once another > device wishes to access a device behind 206.112.71.6, it will > have to use > 206.112.71.5:500 as well. Cisco IPSEC will only allow one port > 500 per IP. > This means the original device will be moved from port 500 to a > different > port. IPSEC only uses port 500 for the negociation and > therefore the > original connection fails. > > I did as you said but I added another command like this. > > Global (outside) 1 interface > nat (inside) 1 0.0.0.0 0.0.0.0 0 0. > Nat (inside) 0 access-list 101 > > Access-list 101 is the traffic to be encrypted. I have tried > not to use PAT > with encrypted data because of the IP:Port limitation problem. > However, it > still won't work. > > Any more suggestions?[EMAIL PROTECTED] wrote: > > > > With PIX you must have one legal address for the outside > > interface on BOTH > > PIXs. That's actually enough to do what you want to do. Say > > that your > > legal address on PIX1 is 206.112.71.5/30. Go to PIX2 startup > > ipsec and > > input "isakmp key 'your key' address 206.112.71.5". Then > > input "crypto > > map 'your map-name' 'your sequence number' set peer > > 206.112.71.5" > > Say that your legal address on PIX2 is 206.112.71.6/30. Go to > > PIX1 startup > > ipsec and input "isakmp key 'your key' address 206.112.71.6" > > Then input > > "crypto map 'your map-name' 'your sequence number' set peer > > 206.112.71.6" > > > > Now on PIX1 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0. Then > > input global > > (outside) 1 206.112.71.5 > > Now on PIX2 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0. Then > > input global > > (outside) 1 206.112.71.6 > > Now just complete your isakmp and crypto-map settings and you > > will be doing > > one single VPN between peers and PAT to the Internet. That's > > the best you > > can do on PIX with only a 30 bit legal subnet mask. > > > > John Squeo > > Technical Specialist > > Papa John's Corporation > > (502) 261-4035 > > > > > > > > > > "Theodore > > stout" To: > > [EMAIL PROTECTED] > > cc: > > tudy.com> Subject: PIX with > > PAT and VPN [7:23490] > > Sent > > by: > > > > nobody@groupst > > > > udy.com > > > > > > 10/19/01 > > 02:23 > > > > AM > > Please > > respond > > to > > "Theodore > > > > stout" > > > > > > > > > > > > > > Hello everyone. > > > > I am trying to implement 2 Internet connectivity solutions > > while at the > > same > > time creating 2 VPN solutions between two sites. What I would > > like to do > > it > > use a PIX 515 at both sites, tunnel IPSEC between the sites > and > > still have > > normal access to the Internet. > > > > What my problem is that I only have one IP address per-site. > > In all of the > > solutions provided by Cisco, I would need a pool of registered > > IP addresses > > for NAT. PAT is not even possible. > > > > I know that this VPN-PAT-FW1FW1-PAT-VPN solution is available > > with > > Checkpoint. However, I would prefer a Cisco only solution. > > > > Any suggestions? > > > > Theodore Stout > > Security Engineer > > CCSE, CCNA, MCSE Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24039&t=23490 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
