PIX 7.0 VPN users accessing DMZ Servers with IP Static NAT to Inside

Another issue I have with Cisco PIX 7.0.

I have a server connecting to the PIX DMZ interface with the IP of 172.17.1.1. This server is translated to an Inside IP 10.1.1.1 and to an Outside internet routable IP.

When VPN users connect from outside, they want to access the DMZ server via the 10.1.1.1 IP not the 172 IP.

They are able to connect to any host on the inside but unable to connect to the translated IP.

This is the static statement.
static (dmz,inside) 10.1.1.1 172.17.1.1 netmask 255.255.255.255

My Networks
Inside : 10.1.1.0/24
DMZ : 172.17.1.0/24
VPN Pool : 192.168.0.0/24

I posted this question at Cisco NetPro forum, and I got this reply,

Continue reading “PIX 7.0 VPN users accessing DMZ Servers with IP Static NAT to Inside”

Multiple Use of ACL for PDM

access-list 90 permit ip host 203.X.X.X host 202.X.X.X1
access-list 90 permit ip host 203.X.X.X host 202.X.X.X2
nat (inside) 0 access-list 90
crypto dynamic-map dyna 20 match address 90

Guess what.. PDM won’t work with the above commands. The error I got was: “PDM do not support multiple uses of access list”

oohh.. man. I created the same ACL again but with another name and use it for the crypto.

L2TP over IPsec

Configuring L2TP over IPSec for both Cisco PIX and Cisco Router on the Customer side.

Tricky things uncovered.
According to the documentation provided on how the L2TP is to be configured:

vpdn enable

!

vpdn-group 1
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname BB-GGSN1
local name CPE-L2TP-Router
l2tp tunnel password 0 secret
!

interface Virtual-Template1
ip unnumbered FastEthernet0
peer default ip address pool l2tp-pool01
ppp authentication pap
!

ip local pool l2tp-pool01 10.9.2.201 10.9.2.220

For the curious souls like me, how the hell the router knows who’s BB-GGSN1.. so I added:

Continue reading “L2TP over IPsec”