Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > pix, vpn and statics

Reply
Thread Tools

pix, vpn and statics

 
 
P
Guest
Posts: n/a
 
      08-04-2004
I'm a little rusty, not having used a pix for 18 months or so.

But I helped one of our clients set up an IPSEC VPN to us (terminated on a
3725 router).

I defined the ACL for VPN'd traffic and then had him apply that to NAT 0 on
his PIX. IPSEC worked fine but then he got a no translation group error when
the decrypted traffic from me hit his pix. I got him to put in a static for
the destination IP address and then it worked.

But

Does this now preclude the destination machine (the one defined in the
static) of getting any non VPN outbound access since a static has been
defined from inside to outside that is a private address? (and a static
overrides NAT rules right?)

This is undesirable. I want to get to sites like windowsupdate and
security.debian.org from my clients end, only traffic destined for a portion
of my network will go via the ipsec tunnel.

I can't quite remember how it all works now.. I recall a global pix command
that effectively says "if you have come in via VPN, I will not pass you thru
the ACL's.." but this is also undesirable as this opens it up too much..

Is there a happy medium?

thanks

P


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.729 / Virus Database: 484 - Release Date: 27/07/2004


 
Reply With Quote
 
 
 
 
Mirko
Guest
Posts: n/a
 
      08-06-2004
I have a similar problem I'm working on to, I just got a suggestion to have
a look at

http://www.cisco.com/en/US/tech/tk58...80094634.shtml

(Configuring a Router IPSec Tunnel Private-to-Private Network with NAT and a
Static)

Maybe it could help.


Mirko


"P" <(E-Mail Removed)> ha scritto nel messaggio
news:QbeQc.2$(E-Mail Removed)...
> I'm a little rusty, not having used a pix for 18 months or so.
>
> But I helped one of our clients set up an IPSEC VPN to us (terminated on a
> 3725 router).
>
> I defined the ACL for VPN'd traffic and then had him apply that to NAT 0

on
> his PIX. IPSEC worked fine but then he got a no translation group error

when
> the decrypted traffic from me hit his pix. I got him to put in a static

for
> the destination IP address and then it worked.
>
> But
>
> Does this now preclude the destination machine (the one defined in the
> static) of getting any non VPN outbound access since a static has been
> defined from inside to outside that is a private address? (and a static
> overrides NAT rules right?)
>
> This is undesirable. I want to get to sites like windowsupdate and
> security.debian.org from my clients end, only traffic destined for a

portion
> of my network will go via the ipsec tunnel.
>
> I can't quite remember how it all works now.. I recall a global pix

command
> that effectively says "if you have come in via VPN, I will not pass you

thru
> the ACL's.." but this is also undesirable as this opens it up too much..
>
> Is there a happy medium?
>
> thanks
>
> P
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.729 / Virus Database: 484 - Release Date: 27/07/2004
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
global variables and class statics in a static library rsforster@sympatico.ca C++ 3 09-09-2006 05:30 PM
lifetime of global statics vs. statics in functions Stuart MacMartin C++ 5 07-27-2005 04:19 PM
Intialisation order and statics Spacen Jasset C++ 6 01-31-2005 09:08 PM
Statics and connections Jason ASP .Net 2 12-06-2004 03:27 PM
PIX 515 with statics and ACLs blocks dmz to outside access SuperIce Cisco 2 10-01-2004 05:11 PM



Advertisments