07-02-2005 04:37 AM
Hello,
I have a pix firewall which connects to core router. I also have one network(let say network 1) between the pix firewall and core router.
What I am trying to do is to allow some hosts in Network 1 to access my network 2(File Server) which stay behind the pix firewall. The diagram is as below:
Net.2(FileServer)....>Pix....>Net.1...>Core Router
Note: I have tried to config by following the doc in the below link but it still does not work.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml
Thanks in advance.
Regards,
Sakdavin
07-03-2005 10:37 AM
Snippet of your config that does not work would help.
This should work though:
If 10.1.1.1 is the Server on the inside Net2, known to the outside world as 100.1.1.1,
and 200.1.1.1 is a client on the Outside Net1
static(inside,outside) 100.1.1.1 10.1.1.1
access-list 101 permit ip host 200.1.1.1 host 100.1.1.1
access-group 101 in interface outside
If this doesnt work, then make sure routing is good, there are no other nat statements that supersede the above statement, acl on inside allows return traffic etc.
07-04-2005 12:55 AM
Hi Sunilc,
Thanks for the reply.
I got another problem with outside vpn users. I have a Watchguard Firewall which stays in front of Cisco Pix.And now what I am trying to do is to allow my outside vpn user access to my internal file server.
Note: WatchGuard works as a vpn server. We want to allow vpn user pass through pix firewall. What do i need to open port on pix firewall.
Could you plz take a look at my attached file.Any URL link, plz kindly let me know.
Regards.
Sakdavin
07-08-2005 08:31 AM
From the PIX perspective it is just an IP packet coming in, since the Watchgaurd is the VPN server and has decrypted the IPSec packet from the vpn user.
Now this packet is routed to the PIX and then must access the inside server.
All you have to do is to change the PIX Outside ACl to allow the decrypted packet access to Server. Assuming the Watchgaurd is terminating remote VPN clients, and assigning a private ip to client, lets say from pool 11.1.1.x.
If 10.1.1.1 is the Server on the inside Net2, known to the outside world as 100.1.1.1,
and 11.1.1.x is the ipsec private adress assigned to the remote VPN client 200.1.1.1
static(inside,outside) 100.1.1.1 10.1.1.1
access-list 101 permit ip 11.1.1.0/24 host 100.1.1.1
access-group 101 in interface outside
-Sunil.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide