Hello,
Normally I wouldn't ask this but cisco's documentation on pix is far from
acceptable.
What I am trying to do is simple. I have a pix 501 here with a single
public
static ip on outside and a private network in the range of 10.251.35.0/24.
The pix is setup to nat the internal network out to the internet... This
works
fine. It also has a functional ipsec tunnel to a cisco vpn concentrator
which
works just dandy. The folks at the main site have requested that I open port
80 for web access internally. Noting that the network inside is PAT'd, there
will have to be a 'static' map to make this function... right..
I wont paste the entire config here unless requested but will give you the
basic rundown.
I use access-list 101 to define two different subnets just to define
interesting traffic for my crypto map. That works just fine.
if my external IP is 192.168.1.1, I (according to CCO and Pix configuration
books) have to:
Add a static mapping as such:
static (inside,outside) 192.168.1.1 10.251.35.1 (I've done a few variants of
this)
Then enforce this with an acl as such:
access-list 102 permit tcp any host 192.168.1.1 eq www
then
access-group 102 in interface outside to apply it
Now if I do this, it drops everything. I run logging console debugging and
see
tons and tons of drops for tcp, udp and ipsec. All network conectivity comes
to a total halt.
So I tried to implement the acl like the old way I do my ciscos to make sure
by allowing ip any any and protocol 50 any any. - Nothing
I also get a huge mess of errors stating that port mapping has failed, both
IP's are correct and reachable.
I've tried every thing I can think of but the thing will not behave.
Conduits
and acl's. Once again, I wont touch my crypto map acl because I don't want
it
futzing with my tunnel and makes very little sense to me.
Has anyone gotten this kind of "Static" mapping working in a Pat'd/ipsec'd
system? If so, how?
I will provide any needed information upon request.
Thanks a bunch in advance for any interest.
eo
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=48886&t=48886
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
