Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
332
Views
0
Helpful
2
Replies

PIX static public IP to Private IP issue

agrayson
Level 1
Level 1

‎07-12-2004 12:07 PM - edited ‎02-20-2020 11:30 PM

I have a PIX 525 ...6.3....I have a server that used to use the following statement to access the internet for GPRS downloads via the internet...static (inside,outside) 199.xxx.xxx.185 10.xxx.xxx.6 netmask 255.255.255.255 0 0 ...we then changed to Kore wireless and use a Cisco VPN client newest ver. The old static mapping I thought was no longer needed and in cleaning up the FW I removed it. 2 hours later I get a call saying the server can not access the internet and the VPN is not working. Going by the last change I put the statement back on the FW and everything worked then I removed it again and all works for 2 hours or so and then the internet connection is lost again untill the static statement is placed back on the PIX. Kore does not require a public IP for the VPN connection. We are confused...we uninstalled the VPN client but the W2K server was still unable to access the internet yet all the other nodes on its subnet could and yes all the tcp/ip stuff is correct. I am at the point that I want to uninstall ...ahck reg...remove and reinstall MS TCP/IP stuff...this was not an issue till we installed the VPN client...and I have had other issues with the routing getting corrupted on the server...any suggestions. I cleared ARP and XLATE

0 Helpful
2 Replies 2

ehirsel
Level 6
Level 6

‎07-12-2004 12:27 PM

Am I correct in understanding that the vpn client is on the win2000 server?

If that is true, how is the the connection transport specified? IPSec over UDP or TCP (NAT-T) or is nat transparancy turned off. If it is turned off, then the static is needed to allow IKE to work correctly thru a firewall (one-to-one xlate). The pix 6.3.3 code does have the protcol fixup esp-ike to allow clients behind it to work with PAT in establishing a vpn tunnel to outside hosts. The two hours is probably the timeout that the other end has for phase 1 or phase 2 SA's. Once you change/remove the static, the renegotiation fails to take place.

0 Helpful

agrayson
Level 1
Level 1
In response to ehirsel

‎07-13-2004 04:33 AM

Yes the VPN client is on a W2K server....Thanks for the quick response. I thought it had something to do with the config like you mentioned above so I had the vendor uninstall the VPN client but the server was still unable to access the internet....however I did not hack the VPN client from the registry....this W2K server is on the same subnet that all the other servers on with the same default gateway can access the internet and this was not an issue on the server in question till this vendor installed the VPN client about 2 months ago...I will get the exact config and post it...with that said can you recommend a VPN setup on the sserver in question that will not require a public IP mappping on the PIX?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card