VPN with Static Entry

shijasm · ‎08-01-2005

Here is the scenario PLEASE HELP

We have one PIX 501 Firewall, one exchange server, users who travel around.

I have configured our PIX firewall with a static entry with access-list for SMTP and POP3, now when I configured my PIX as a VPN server for PPTP client, I am unable to connect to VPN, I know that the static route I have created for exchange server is the issue, how can I allow VPN traffic with SMTP and POP 3. I think we have to exclude static entry… how can achieve this?

Please help me…

jmia · ‎08-01-2005

Have you verified your configuration for PPTP with this document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml

Also, you could setup VPN Client access instead of PPTP, a lot more secure! Check out this document:

http://www.cisco.com/warp/public/110/pix3000.html

Let me know how you get on or require furthet help. If this info helps please rate post as others might be looking for similar resolution.

Jay

shijasm · ‎08-02-2005

i have exchange server inside my network therefore i have created "static (inside outside) xxxx xxxx nemask 255.255.255.0 0 0

access-list incoming_smtp permit any xxxx eq smtp

access-group incoming_smtp in in...

when i remove my static entry the VPN work fine. but if i remove static entry iwll not be able recive emails.

what i can do here

slaurin · ‎08-02-2005

Hi,

Can you confirm that the outside address of your PIX is different from the public address you are using for translating SMTP traffic to your mail server? If it is the same, you will need to refine your static command and translate only SMTP and POP3 to your mail server, i.e. "static (inside,outside) tcp x.x.x.x smtp x.x.x.x smtp netmask 255.255.255.255 0 0" and same thing for pop3. Let me know if the address isn't the same and I'll try to help you more.

Simon Laurin

shijasm · ‎08-02-2005

I have only one public ip address, connected to router, from router nat to pix