https://community.cisco.com/t5/network-security/can-pix-do-this/m-p/274947#M568779 <HTML><HEAD></HEAD><BODY><P>Sorry, I indeed missed the router doing NAT. </P><P>As long as the router does a full static IP translation (1 on 1) you should be fine. If it does in fact PAT you need some configuration on your router as well (but still can be done)</P><P></P><P>One thing bothers me, why have you chose such setup?</P><P></P><P>Kind regards,</P><P>Leo</P></BODY></HTML> Wed, 18 Feb 2004 22:33:13 GMT l.mourits 2004-02-18T22:33:13Z https://community.cisco.com/t5/network-security/can-pix-do-this/m-p/274944#M568776 <P>can pix do this?</P><P>1.NAT PROBLEM</P><P>for instance,pix's public address is 218.242.2.1,its private ip address is 192.168.0.1/24,there is a server whose ip address is 192.168.0.100,if someone in internet want to access tcp ports from 2000 to 5000 of 218.242.2.1,the pix can forward all the traffic to 192.168.0.100?if can,how to do this?</P><P>2.VPN problem</P><P>the structure is :</P><P>INTERNET--ROUTERA--PIX--LAN,both the ip address of inside and outside of the router are public address,and both the ip address of inside and outside of the pix are private address,.but I use NAT to translate the pix's outside ip address to a public address,then can pix act as a vpn server?that means if someone in internet can dialer in the pix with cisco vpn client software?if can,is there any diffirent config in pix or router?in the pix's place,if there is a routerb or vpn3000,can they act as vpn server?</P><P>thanks</P> Fri, 21 Feb 2020 07:14:31 GMT https://community.cisco.com/t5/network-security/can-pix-do-this/m-p/274944#M568776 jeff.lee 2020-02-21T07:14:31Z https://community.cisco.com/t5/network-security/can-pix-do-this/m-p/274945#M568777 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>1) Yes,this is possible, you have to configure this:</P><P>static (inside, outside) interface 192.168.0.100 netmask 255.255.255.255</P><P>object-group service <SERVICE_OBJ_GROUP_ID> tcp-udp</SERVICE_OBJ_GROUP_ID></P><P> port-object range 2000 5000</P><P>access-list <YOUR_EXISTING_ACL_ID> outside_in permit tcp any interface object-group <SERVICE_OBJ_GROUP_ID></SERVICE_OBJ_GROUP_ID></YOUR_EXISTING_ACL_ID></P><P></P><P>2) Yes, this is possible, see this url for a good sample:</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml" target="_blank">http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml</A></P><P></P><P>Hope this help &amp; kind regards,</P><P>Leo</P></BODY></HTML> Fri, 13 Feb 2004 08:50:27 GMT https://community.cisco.com/t5/network-security/can-pix-do-this/m-p/274945#M568777 l.mourits 2004-02-13T08:50:27Z https://community.cisco.com/t5/network-security/can-pix-do-this/m-p/274946#M568778 <HTML><HEAD></HEAD><BODY><P>thank u first!</P><P>but the second problem,maybe u misunderstand,I mean the pix doesnot have a real public ip address,a router is outside the pix which has real public address,and use NAT in the router,which translate the pix's outside ip address(which is a private ip address like 10.0.0.1) to a public ip address (such as 218.242.0.1),then the vpn client try to connect to 218.242.0.1,is it possible?</P></BODY></HTML> Mon, 16 Feb 2004 01:00:12 GMT https://community.cisco.com/t5/network-security/can-pix-do-this/m-p/274946#M568778 jeff.lee 2004-02-16T01:00:12Z https://community.cisco.com/t5/network-security/can-pix-do-this/m-p/274947#M568779 <HTML><HEAD></HEAD><BODY><P>Sorry, I indeed missed the router doing NAT. </P><P>As long as the router does a full static IP translation (1 on 1) you should be fine. If it does in fact PAT you need some configuration on your router as well (but still can be done)</P><P></P><P>One thing bothers me, why have you chose such setup?</P><P></P><P>Kind regards,</P><P>Leo</P></BODY></HTML> Wed, 18 Feb 2004 22:33:13 GMT https://community.cisco.com/t5/network-security/can-pix-do-this/m-p/274947#M568779 l.mourits 2004-02-18T22:33:13Z