PIX 7.0 VPN users accessing DMZ Servers with IP Static NAT to Inside

Another issue I have with Cisco PIX 7.0.

I have a server connecting to the PIX DMZ interface with the IP of This server is translated to an Inside IP and to an Outside internet routable IP.

When VPN users connect from outside, they want to access the DMZ server via the IP not the 172 IP.

They are able to connect to any host on the inside but unable to connect to the translated IP.

This is the static statement.
static (dmz,inside) netmask

My Networks
Inside :
VPN Pool :

I posted this question at Cisco NetPro forum, and I got this reply,

Continue reading “PIX 7.0 VPN users accessing DMZ Servers with IP Static NAT to Inside”

Multiple Use of ACL for PDM

access-list 90 permit ip host 203.X.X.X host 202.X.X.X1
access-list 90 permit ip host 203.X.X.X host 202.X.X.X2
nat (inside) 0 access-list 90
crypto dynamic-map dyna 20 match address 90

Guess what.. PDM won’t work with the above commands. The error I got was: “PDM do not support multiple uses of access list”

oohh.. man. I created the same ACL again but with another name and use it for the crypto.

L2TP over IPsec

Configuring L2TP over IPSec for both Cisco PIX and Cisco Router on the Customer side.

Tricky things uncovered.
According to the documentation provided on how the L2TP is to be configured:

vpdn enable


vpdn-group 1
protocol l2tp
virtual-template 1
terminate-from hostname BB-GGSN1
local name CPE-L2TP-Router
l2tp tunnel password 0 secret

interface Virtual-Template1
ip unnumbered FastEthernet0
peer default ip address pool l2tp-pool01
ppp authentication pap

ip local pool l2tp-pool01

For the curious souls like me, how the hell the router knows who’s BB-GGSN1.. so I added:

Continue reading “L2TP over IPsec”