PIX 501: Connect Externally to internal LAN? 2

[darkstate]

Ok i have a tiny problem thats took me 2 days and counting to try and solve so far that can be solved in 5mins on you standard linksys router.
Is there a way to connect to an I.P on my LAN thats running a FTP server on port 7062 ? Like so
PC(I.P 192.168.1.100)-->My Public address(86.8.12.12)then back into the LAN ? OR Local PC to PublicIP then back to Local PC
Now i can quite easily connect to the server from work to home but i can't connect locally via the public I.P,yes i know i can connect via 192.168.1.100 but i want to test it via my public address on my LAN.
This is my access-list

access-list inbound permit tcp any any eq 7062
access-group inbound in interface outside
static (inside,outside) tcp interface 7062 192.168.1.100 7062 netmask 255.255.255.255

Nothing wrong there i know,I'm hoping there is some command i can use to get back into the Lan?
I'm thinking its the
nameif ethernet0 Outside security0
nameif ethernet1 inside security100
If so what do i need to do to the security permissions?

Thanks in advance for this place even existing

 

[unclerico]

I don't know what version of OS you are running, but if it is at least 7.0 then add the command same-security-traffic permit intra-interface. This will enable hairpinning. If it is earlier than that you are out of luck.

I would also add the following since ftp is running on a nonstandard port: fixup protocol ftp 7062

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[darkstate]

Thanks for the reply unclerico.
The command fixup protocol ftp 7062 didn't work I've added but no joy.
The OS is PIX Version 6.3(4)
So i guess i'm outta luck.
My next task is setting up VPN,no idea about how to do that or whether i can do that from the lan To test.
Any helpfull links would be appreciated.

 

[brianinms]

I don't know of a way to try to connect to an internal resource as its nat'd public ip address. The reason being is that you aren't traversing the firewall and thus the traffic isn't nat'd.

On 6.x code you certainly can't hairpin nor can your traffic go back out the interface in which in came in on. If the workstation and FTP server both reside on the same local area network then a VPN would be of no help either.

 

[darkstate]

Thanks brianinms for your reply.
Sorry about the VPN, Thats got nothing to do with the above question about the ftp problem, I'm just going to setup vpn as my next project thats all.
I'm just presuming that i'm going to encounter the same problem as i had with the ftp of not being able to connect to it locally.
Is it possible to update from The OS of PIX Version 6.3(4) to 7.0 or is my 501 using the newest firmware?
And anyone got a good noob config of a VPN setup i could use?

This is the 1 i'm trying and i don't know if this is correct or not, I want to be able to connect to a PC (192.168.1.12) from the outside

VPN Setup
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000

isakmp key pa££wordhere address 86.8.1.** netmask 255.255.255.255
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
ip local pool bigpool 192.168.2.1-192.168.2.254
nat (inside) 0 access-list 101
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable Outside
isakmp key pa££word address 0.0.0.0 netmask 0.0.0.0(do i change the 0.0.0.0)?
isakmp identity address
isakmp client configuration address-pool local bigpool Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre?share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn3000-all address-pool bigpool
vpngroup vpn3000-all dns-server 208.67.222.222
vpngroup vpn3000-all wins-server 192.168.1.12
vpngroup vpn3000-all default-domain password
vpngroup vpn3000-all idle-time 1800
vpngroup vpn3000-all password pa££word
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local bigpool
vpdn group 1 client authentication local
vpdn username usernamehere password pa££word
vpdn enable outside

Thanks for you time guys its appreciated.

 

[brianinms]

Nope, a 501 can not run 7.0 code.

 

[darkstate]

Thanks again for the reply.
IT ok it works externally which is the main point,Just need to get this damn VPN running now...My head hurts.