04-15-2004 08:00 AM
Site1 want to access an XCOM server in Site2 from their XCOM server on port 8044
The destination address they use is 172.23.192.222 which goes to the PIX and is translated to 10.0.0.49 The XCOM server
The VPN comes up fine, phases 1 and 2. The thing is they cant get on the XCOM at all.
When I CVPN in I CAN ping 10.0.0.49 AND telnet on port 8044 ok
I can also ping 172.23.192.222 address and 10.0.0.49 responds, so the translation is working but I cant telnet 172.23.192.222 8044
I cant write an ACL allowing port 8044 in cos its coming through the tunnel so all ports are already passed through
If you could give the config the once over. Any ideas or help appreciated
Details have been omitted to protect the innocent
PIX Version 6.3(1)
access-list nonat permit ip LocalLAN 255.255.255.0 20.1.2.0 255.255.255.0
access-list nonat permit ip host ExtXCOM host IntXCOM
access-list SiteToSite permit ip host ExtXCOM host IntXCOM
ip address outside OutsideAddress 255.255.255.248
ip address inside InsideAddress 255.255.255.0
ip local pool tony 20.1.2.1-20.1.2.20
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) ExtMail IntMail netmask 255.255.255.255 0 0
static (inside,outside) ExtXCOM IntXCOM netmask 255.255.255.255 0 0
access-group out_acl in interface outside
route outside 0.0.0.0 0.0.0.0 NextHopAddress 1
route outside 20.1.x.x.x.255.0 NextHopAddress 1
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address SiteToSite
crypto map mymap 20 set peer ExtXCOM
crypto map mymap 20 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address ExtXCOM netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 authentication pre-share
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn3000 address-pool tony
vpngroup vpn3000 split-tunnel nonat
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ***
telnet LocalLAN 255.255.255.0 inside
telnet 20.1.2.0 255.255.255.0 inside
ssh timeout 5
management-access inside
04-16-2004 11:50 AM
Thru a point to point tunnel, people will be attempting to connect to the non natted IP address, not the external ip address. Can they do this?
04-18-2004 07:00 AM
Hi thanks for the reply, yes they can, they direct traffic to an outside address that is statically mapped to the inside, I simulated the remote end on friday and it worked
Cheers Tony
04-17-2004 09:44 PM
your nat (inside) 0 is tied to this access-list: access-list nonat permit ip host ExtXCOM host IntXCOM
When you connect site to site you want a nat (inside) 0 on both sides to define the private addresses on both sides. Basically one side is 10.0.0.49 and the other side is X.X.X.X.
Give that a try.
04-18-2004 07:02 AM
Thaks for the reply, on Friday I simulated the remote end, traffic coming into ExtXCOM was translated to IntXCOM and it worked fine, I think the problem is at the customers remote end
Cheers Tony
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide