Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
349
Views
0
Helpful
3
Replies

Multiple Servers Behind Firewall, want 1 of them to use Point-to-Point tunnel to remote Sonicwall

Rodney Hall
Level 1
Level 1

‎08-19-2015 12:48 PM - edited ‎03-11-2019 11:27 PM

I have a configuration with multiple VM's hosted behind a Pix 506e running 6.3(5) (i know, we are in the process of replacing it, but for now i need to use it), and i need to have 1 of them to connect to a remote location via a point to point tunnel(sonicwall). when i use this configuration, the main firewall see the tunnel, not the specific machine that i am wanting to see the tunnel.

 

any ideas?? thanks in advance.

 

 

 

12.34.56.154 is the external address of the server we want to access the external server behind the sonicwall

56.78.89.184 is the internal address of the same server

98.87.65.217 is the external address of the server for the sonicwall

10.10.10.15 is the internal address of the sonicwall server

 

sample config


fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 105 permit tcp any host 12.34.56.153 eq 7899
access-list 105 permit udp any host 12.34.56.153 eq 7899
access-list 105 permit tcp any host 12.34.56.152 eq ftp
access-list 105 permit udp any host 12.34.56.152 eq 21
access-list 105 permit tcp any host 12.34.56.152 eq ftp-data
access-list 105 permit udp any host 12.34.56.152 eq 20
access-list 105 permit tcp any host 12.34.56.154 eq www
access-list 105 permit udp any host 12.34.56.154 eq www
access-list 105 permit tcp any host 12.34.56.154 eq 7899
access-list 105 permit udp any host 12.34.56.154 eq 7899
access-list 105 permit tcp any host 12.34.56.155 eq www
access-list 105 permit udp any host 12.34.56.155 eq www
static (inside,outside) 12.34.56.153 56.78.89.183 netmask 255.255.255.255 00
static (inside,outside) 12.34.56.152 56.78.89.182 netmask 255.255.255.255 00
static (inside,outside) 12.34.56.154 56.78.89.184 netmask 255.255.255.255 00
static (inside,outside) 12.34.56.155 56.78.89.185 netmask 255.255.255.255 00
static (inside,outside) udp 12.34.56.152 www 56.78.89.182 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 12.34.56.153 www 56.78.89.183 www netmask 255.255.255.255 0 0
static (inside,outside) udp 12.34.56.153 www 56.78.89.183 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 12.34.56.153 7899 56.78.89.183 7899 netmask 255.255.255.255 0 0
static (inside,outside) udp 12.34.56.153 7899 56.78.89.183 7899 netmask 255.255.255.255 0 0
static (inside,outside) tcp 12.34.56.152 ftp 56.78.89.182 ftp netmask 255.255.255.255 0 0
static (inside,outside) udp 12.34.56.152 21 56.78.89.182 21 netmask 255.255.255.255 0 0
static (inside,outside) tcp 12.34.56.152 ftp-data 56.78.89.182 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) udp 12.34.56.152 20 56.78.89.182 20 netmask 255.255.255.255 0 0
static (inside,outside) tcp 12.34.56.154 www 56.78.89.184 www netmask 255.255.255.255 0 0
static (inside,outside) udp 12.34.56.154 www 56.78.89.184 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 12.34.56.154 7899 56.78.89.184 7899 netmask 255.255.255.255 0 0
static (inside,outside) udp 12.34.56.154 7899 56.78.89.184 7899 netmask 255.255.255.255 0 0
static (inside,outside) tcp 12.34.56.155 www 56.78.89.185 www netmask 255.255.255.255 0 0
static (inside,outside) udp 12.34.56.155 www 56.78.89.185 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 12.34.56.155 7899 56.78.89.185 7899 netmask 255.255.255.255 0 0
static (inside,outside) udp 12.34.56.155 7899 56.78.89.185 7899 netmask 255.255.255.255 0 0
access-list acl-out permit udp host 12.34.56.154 host 192.169.60.184 eq isakmp
access-list acl-out permit udp host 12.34.56.154 host 56.78.89.184 eq 4500
access-group acl-out in interface outside
access-list 105 permit ip host 56.78.89.184 host 10.10.10.15
access-list 105 permit ip host 10.10.10.15 host 56.78.89.184
access-list nonat permit ip host 56.78.89.184 host 10.10.10.15
access-list nonat permit ip host 10.10.10.15 host 56.78.89.184
access-list caplist permit ip host 12.34.56.154 host 98.87.65.217
access-list caplist permit ip host 98.87.65.217 host 12.34.56.154
crypto ipsec transform-set nsset esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map nsmap 10 ipsec-isakmp
crypto map nsmap 10 match address 105
crypto map nsmap 10 set peer 98.87.65.217
crypto map nsmap 10 set transform-set nsset
crypto map nsmap interface outside
isakmp enable outside
isakmp enable inside
isakmp nat-traversal 20
isakmp key ************* address 98.87.65.217 netmask 255.255.255.255 no-xauth
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800

Labels:
0 Helpful
3 Replies 3

Rodney Hall
Level 1
Level 1

‎08-24-2015 08:14 AM

no ideas???

0 Helpful

Rodney Hall
Level 1
Level 1

‎08-31-2015 05:40 AM

I assume then that this is something that really isnt doable.....

0 Helpful

Rodney Hall
Level 1
Level 1

‎09-11-2015 11:11 AM

does the line:

 

crypto map nsmap interface outside

 

have to be changed to:

 

crypto map nsmap 12.34.56.154

?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card