vpn connection

lyes.ouarti · ‎09-26-2004

hi,

i plan to do a vpn between two sites, to secure ftp between two ftp server, here is the configuration:

access-list ftp-tunnel permit tcp host public @ host (your server ip) eq ftp

isakmp enable outside

sysopt connection permit-ipsec

crypto ipsec transform-set WAT esp-des esp-md5-hmac

crypto map YADZ 10 ipsec-isakmp

crypto map YADZ 10 match address ftp-tunnel

crypto map YADZ 10 set peer "your public ip"

crypto map YADZ 10 set transform-set WAT

isakmp key fffg address "your public ip" netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

my question is for ftp-tunnel access-list,

is it right?? because i am using public ip addresses, and not private, i did a static on the dmz to map my ftp server to a public ip @

will it work??

thanks a lot.

Patrick Iseli · ‎09-30-2004

No, all VPN traffic uses local private addresses.

access-list ftp-tunnel permit tcp Internalnet ISubnet Externalnet Esubnet eq 21

sincerly

Patrick

ehirsel · ‎10-04-2004

If the remote side is expecting to use public addresses (or any address other than the true one) for your ftp host, then yes using the public or nat'ed address of your ftp server as the source-ip in the acl that is applied to the crypto map will work. This is becasue the PIX will do the nat/static first and then do the ipsec processing. Insure that your nat or static is setup correctly. IPSec can work with any valid IP address execept for muti-cast, so you can use public as well as the IETF private ip addresses.

However if the other side is expecting to see your ftp server by its' true address (the one inside your network) then you would use the true address as the source host in your crypto map acl.

Let me know if this helps.

lyes.ouarti · ‎10-05-2004

hi,

thanks for your answer, this helps me a lot in my anderstanding of vpn's

thanks again.