01-24-2003 06:29 AM - edited 02-21-2020 12:18 PM
Hi,
Can anyone tell me if it is possible (and if so how) to have vpn enabled on the external interface and to have something like:
static (inside,outside) interface x.x.x.x
ie: I have two ip addresses - one for the router one for e0 on the pix. I create a static and access-lists to allow inbound http/https to the server inside but I also want to allow vpn to hit e0 and work. My configs work if I use a 3rd ip address for the static but not if they share. I can imagine that the static takes the vpn traffic before the pix can use it OR that maybe as the pix has no route out now (due to the static) that it cannot respond?
Hope I am makeing sense
Thanks for any time spent on this
cheers
Andy
Solved! Go to Solution.
01-24-2003 08:47 AM
I believe you want something like this:
static (inside,outside) tcp interface http 10.10.10.10 http netmask 255.255.255.255 0 0 (where 10.10.10.10 is your web server)
static (inside,outside) tcp interface https 10.10.10.10 https netmask 255.255.255.255 0 0
access-list 101 permit tcp any host x.x.x.x eq 80 (where x.x.x.x is your interface IP)
access-list 101 permit tcp any host x.x.x.x eq 443
access-group 101 in interface outside
Hope it helps.
Steve
01-24-2003 08:47 AM
I believe you want something like this:
static (inside,outside) tcp interface http 10.10.10.10 http netmask 255.255.255.255 0 0 (where 10.10.10.10 is your web server)
static (inside,outside) tcp interface https 10.10.10.10 https netmask 255.255.255.255 0 0
access-list 101 permit tcp any host x.x.x.x eq 80 (where x.x.x.x is your interface IP)
access-list 101 permit tcp any host x.x.x.x eq 443
access-group 101 in interface outside
Hope it helps.
Steve
02-09-2003 11:47 AM
Of course - that makes sense - I never thought to split it like that.
thanks again
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide