Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

My VPN and I need Help now!

Status
Not open for further replies.
bubarooni

bubarooni

Technical User
May 13, 2001
506
US
One of these days I hope to actually answer a question on this board. In the meantime thanks to all who helped me on the last problem I posted here. You are a noble lot...

Anyway, here is my current problem.

A software vendor whose product we use brought in a new Win2000 machine today, part of an upgrade to their old software app.

The new app requires a VPN, a little tidbit they neglected to mention until we couldn't get it running.

They configured the VPN connection on the desktop so I am assumming it is OK.

However, they say that if we use NAT, and we do, we must have GRE enabled on port 1723. We don't.

I know conduits are frowned on but the firewall already has two configured on it so here is my proposed solution:

conduit permit tcp any eq 1723 any
conduit permit gre any any

Well this give them access to the app or do I need a static route in conjunction with the conduits. I hope not because I only have two real IP's and they are both used.

Oh, yeah. When I enter configure mode and add the conduits do they become effective immediately or must I write them to memory?

Thanks,
Kelly
 
Sort by date Sort by votes
Ok, let me give you a crash course in PIX Firewalls.

A "static" statement creates a permanent translation in the firewall's translation table (aka xlate, show xlate). You only use static statements when you have data going from a lower security interface (outside, the internet) to a higher security interface ( a DMZ, or inside network). You then must pair the static statement with either a conduit (not recommended) or an access list (preferred by cisco).

You usually do not need to have anything going back, because by default if any traffic originates from a higher security interface going to a lower security interface, the firewall will allow traffic.

Now in regards to IPs': You can create a pool of IPs' on the PIX for the inside network, doesn't matter if they're real or not. And if you use an access list, I don't think you'll have a problem.

So, to answer your question, yes, you do need static statements to go along with the conduits.

Hope this helps.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
324
Jared R
Jared R
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
482
BIS
BIS
quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
119
quazimotto
quazimotto
Lccarter
  • Locked
  • Question
Cisco CUCM Provisioning and Order Management System
Replies
1
Views
241
Lccarter
Lccarter
DigiByte34
  • Locked
  • Question
Need Help Cisco AAA to any RADIUS Software
Replies
9
Views
325
DigiByte34
DigiByte34

Part and Inventory Search

Sponsor

Back
Top