Problem solved [last try: tough VPN question] 2 more questions

From: Jim Bond (trycisco@xxxxxxxxx)
Date: Tue Dec 19 2000 - 04:27:11 GMT-3

• Next message: Masood Malik: "Re: frame-relay traffic shape"
• Previous message: Chuck Larrieu: "RE: Monitoring IRDP on routers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Hello,

Thanks a lot for all the info, you guys are great!!!
Problem is solved by doing:

1. Use PIX internal ip address as match address
2. Create nonat for traffic to central router

I have 2 more questions (sorry, couldn't find answer)
1. How do I do redundancy between branch office (2
PIXs) and central office (2 7100s)? CCO only gives
sample for routers, not PIX

2. At branch office (only 1 IP address), there is a
web server behind PIX, how do I do traffic forwarding?

Thanks again.

Jim

> Jim Bond <trycisco@yahoo.com> wrote:
> Hello,
>
> Let me re-describe the situation:
>
> Central office 7100 router, site office PIX (NAT
> overload 1 public ip address), IPSec tunnel is
> establised, clients at site office can't logon NT
> domain but can do everthing else.
>
> Today, I replaced the PIX with a 3620 router (same
> IPSec setup), everything works fine. Clients can
> logon
> NT domain.
>
> I think that proves 1)I don't have naming issue 2)
> PAT
> works with IPSec. I don't understand why PIX
> wouldn't
> work. Please see my PIX config.
>
> Thanks in advance.
>
>
> Jim
>
> PIX Version 5.2(3)
> access-list 100 permit ip host 24.176.210.204
> 167.191.0.0 255.255.0.0
> ip address outside 24.176.210.204 255.255.255.0
> ip address inside 10.1.1.1 255.255.255.0
> global (outside) 1 interface
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> route outside 0.0.0.0 0.0.0.0 24.176.210.1 1
> sysopt connection permit-ipsec
> crypto ipsec transform-set IPSEC esp-des
> esp-md5-hmac
> crypto map newmap 10 ipsec-isakmp
> crypto map newmap 10 match address 100
> crypto map newmap 10 set peer 169.193.13.2
> crypto map newmap 10 set transform-set IPSEC
> crypto map newmap interface outside
> isakmp enable outside
> isakmp key ******** address 169.193.13.2 netmask
> 255.255.255.255
> isakmp identity hostname
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption des
> isakmp policy 10 hash md5
> isakmp policy 10 group 1
> isakmp policy 10 lifetime 86400
> dhcpd address 10.1.1.101-10.1.1.110 inside
> dhcpd dns 24.1.64.33 24.1.64.34
> dhcpd wins 169.193.28.60 169.193.148.25
> dhcpd lease 3600
> dhcpd domain dhcp.lamrc.com
> dhcpd enable inside
>
>
>
>

• Next message: Masood Malik: "Re: frame-relay traffic shape"
• Previous message: Chuck Larrieu: "RE: Monitoring IRDP on routers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:26:06 GMT-3