Hi, Assuming you only have one IP on the external interface try the following
Global (outside) 10 interface Nat (inside) 10 0 0 static (inside,outside) tcp interface www www netmask 255.255.255.255 access-list out-in permit tcp any host eq www Of course this would be to allow people on the Internet to access a WWW server on the external IP address, which is your single routable IP. But it sounds like the trouble your having is with user's reaching your web server over a vpn tunnel?? Is this correct? If so I would suspect you haven't got a "NAT 0" statement to not nat packets from your web server to the far side of the tunnel... basically, without seeing your config you need to have a line of code that tells the PIX what traffic not to nat, specifically traffic that is going into the vpn tunnel to the far side. This can be the same access-list that you define for traffic that will bring up the tunnel - using the line of code like such: nat (inside) 0 access-list NONAT access-list NONAT permit ip mask mask hope this helps. C -----Original Message----- From: eo [mailto:[EMAIL PROTECTED]] Sent: 16 July 2002 04:56 To: [EMAIL PROTECTED] Subject: Pix internal access [7:48886] Hello, Normally I wouldn't ask this but cisco's documentation on pix is far from acceptable. What I am trying to do is simple. I have a pix 501 here with a single public static ip on outside and a private network in the range of 10.251.35.0/24. The pix is setup to nat the internal network out to the internet... This works fine. It also has a functional ipsec tunnel to a cisco vpn concentrator which works just dandy. The folks at the main site have requested that I open port 80 for web access internally. Noting that the network inside is PAT'd, there will have to be a 'static' map to make this function... right.. I wont paste the entire config here unless requested but will give you the basic rundown. I use access-list 101 to define two different subnets just to define interesting traffic for my crypto map. That works just fine. if my external IP is 192.168.1.1, I (according to CCO and Pix configuration books) have to: Add a static mapping as such: static (inside,outside) 192.168.1.1 10.251.35.1 (I've done a few variants of this) Then enforce this with an acl as such: access-list 102 permit tcp any host 192.168.1.1 eq www then access-group 102 in interface outside to apply it Now if I do this, it drops everything. I run logging console debugging and see tons and tons of drops for tcp, udp and ipsec. All network conectivity comes to a total halt. So I tried to implement the acl like the old way I do my ciscos to make sure by allowing ip any any and protocol 50 any any. - Nothing I also get a huge mess of errors stating that port mapping has failed, both IP's are correct and reachable. I've tried every thing I can think of but the thing will not behave. Conduits and acl's. Once again, I wont touch my crypto map acl because I don't want it futzing with my tunnel and makes very little sense to me. Has anyone gotten this kind of "Static" mapping working in a Pat'd/ipsec'd system? If so, how? I will provide any needed information upon request. Thanks a bunch in advance for any interest. eo ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept for the presence of computer viruses. For more information contact [EMAIL PROTECTED] phone + 353 1 4093000 fax + 353 1 4093001 ********************************************************************** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=48893&t=48886 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
