Another issue I have with Cisco PIX 7.0.
I have a server connecting to the PIX DMZ interface with the IP of 172.17.1.1. This server is translated to an Inside IP 10.1.1.1 and to an Outside internet routable IP.
When VPN users connect from outside, they want to access the DMZ server via the 10.1.1.1 IP not the 172 IP.
They are able to connect to any host on the inside but unable to connect to the translated IP.
This is the static statement.
static (dmz,inside) 10.1.1.1 172.17.1.1 netmask 255.255.255.255
Inside : 10.1.1.0/24
DMZ : 172.17.1.0/24
VPN Pool : 192.168.0.0/24
I posted this question at Cisco NetPro forum, and I got this reply,
Continue reading “PIX 7.0 VPN users accessing DMZ Servers with IP Static NAT to Inside”
access-list 90 permit ip host 203.X.X.X host 202.X.X.X1
access-list 90 permit ip host 203.X.X.X host 202.X.X.X2
nat (inside) 0 access-list 90
crypto dynamic-map dyna 20 match address 90
Guess what.. PDM won’t work with the above commands. The error I got was: “PDM do not support multiple uses of access list”
oohh.. man. I created the same ACL again but with another name and use it for the crypto.
Configuring L2TP over IPSec for both Cisco PIX and Cisco Router on the Customer side.
Tricky things uncovered.
According to the documentation provided on how the L2TP is to be configured:
terminate-from hostname BB-GGSN1
local name CPE-L2TP-Router
l2tp tunnel password 0 secret
ip unnumbered FastEthernet0
peer default ip address pool l2tp-pool01
ppp authentication pap
ip local pool l2tp-pool01 10.9.2.201 10.9.2.220
For the curious souls like me, how the hell the router knows who’s BB-GGSN1.. so I added:
Continue reading “L2TP over IPsec”