Solved: Static and VPN on external interface

agoodwin · ‎01-24-2003

Hi,

Can anyone tell me if it is possible (and if so how) to have vpn enabled on the external interface and to have something like:

static (inside,outside) interface x.x.x.x

ie: I have two ip addresses - one for the router one for e0 on the pix. I create a static and access-lists to allow inbound http/https to the server inside but I also want to allow vpn to hit e0 and work. My configs work if I use a 3rd ip address for the static but not if they share. I can imagine that the static takes the vpn traffic before the pix can use it OR that maybe as the pix has no route out now (due to the static) that it cannot respond?

Hope I am makeing sense

Thanks for any time spent on this

cheers

Andy

steve.barlow · ‎01-24-2003

I believe you want something like this:

static (inside,outside) tcp interface http 10.10.10.10 http netmask 255.255.255.255 0 0 (where 10.10.10.10 is your web server)

static (inside,outside) tcp interface https 10.10.10.10 https netmask 255.255.255.255 0 0

access-list 101 permit tcp any host x.x.x.x eq 80 (where x.x.x.x is your interface IP)

access-list 101 permit tcp any host x.x.x.x eq 443

access-group 101 in interface outside

Hope it helps.

Steve

View solution in original post

steve.barlow · ‎01-24-2003