Hello, Normally I wouldn't ask this but cisco's documentation on pix is far from acceptable.
What I am trying to do is simple. I have a pix 501 here with a single public static ip on outside and a private network in the range of 10.251.35.0/24. The pix is setup to nat the internal network out to the internet... This works fine. It also has a functional ipsec tunnel to a cisco vpn concentrator which works just dandy. The folks at the main site have requested that I open port 80 for web access internally. Noting that the network inside is PAT'd, there will have to be a 'static' map to make this function... right.. I wont paste the entire config here unless requested but will give you the basic rundown. I use access-list 101 to define two different subnets just to define interesting traffic for my crypto map. That works just fine. if my external IP is 192.168.1.1, I (according to CCO and Pix configuration books) have to: Add a static mapping as such: static (inside,outside) 192.168.1.1 10.251.35.1 (I've done a few variants of this) Then enforce this with an acl as such: access-list 102 permit tcp any host 192.168.1.1 eq www then access-group 102 in interface outside to apply it Now if I do this, it drops everything. I run logging console debugging and see tons and tons of drops for tcp, udp and ipsec. All network conectivity comes to a total halt. So I tried to implement the acl like the old way I do my ciscos to make sure by allowing ip any any and protocol 50 any any. - Nothing I also get a huge mess of errors stating that port mapping has failed, both IP's are correct and reachable. I've tried every thing I can think of but the thing will not behave. Conduits and acl's. Once again, I wont touch my crypto map acl because I don't want it futzing with my tunnel and makes very little sense to me. Has anyone gotten this kind of "Static" mapping working in a Pat'd/ipsec'd system? If so, how? I will provide any needed information upon request. Thanks a bunch in advance for any interest. eo Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=48886&t=48886 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]