|
| 192.168.1.254
PIX global (outside) 1 200.200.200.14
| 172.17.1.1
|
| 172.17.1.2
ISP router
| 123.123.123.1
|
internet
I use have PIX 506E and VPN Client 4.0.1
I can establisch vpn connection when use ip address of external interface (172.17.1.1).
But it does not work when I try to use 200.200.200.14.
write erase
enable
config terminal
enable password password
passwd password
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
ip address outside 172.17.1.1 255.255.255.0
ip address inside 192.168.1.254 255.255.255.0
mtu outside 1500
mtu inside 1500
hostname pix
domain-name mydomain.local
fixup protocol ftp 21
fixup protocol http 80
fixup protocol rsh 514
fixup protocol smtp 25
telnet 0.0.0.0 0.0.0.0 inside
global (outside) 1 200.200.200.14
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 172.17.1.2 1
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
username bob1 password password privilege 15
static (inside,outside) 200.200.200.10 192.168.1.100 netmask 255.255.255.255 0 0
static (inside,outside) 200.200.200.11 192.168.1.111 netmask 255.255.255.255 0 0
conduit permit tcp host 200.200.200.10 eq telnet any
conduit permit tcp host 200.200.200.10 eq ftp any
-- VPN
names
access-list inside_outbound_nat0_acl permit ip any 172.17.2.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 172.17.2.0 255.255.255.0
ip local pool VPNpool 172.17.2.1-172.17.2.254
nat (inside) 0 access-list inside_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup mygroup address-pool VPNpool
vpngroup mygroup dns-server 192.168.1.50 192.168.1.53
vpngroup mygroup wins-server 192.168.1.50 192.168.1.53
vpngroup mygroup default-domain csi
vpngroup mygroup idle-time 1800
vpngroup mygroup password password
dhcpd auto_config outside
| 192.168.1.254
PIX global (outside) 1 200.200.200.14
| 172.17.1.1
|
| 172.17.1.2
ISP router
| 123.123.123.1
|
internet
I use have PIX 506E and VPN Client 4.0.1
I can establisch vpn connection when use ip address of external interface (172.17.1.1).
But it does not work when I try to use 200.200.200.14.
write erase
enable
config terminal
enable password password
passwd password
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
ip address outside 172.17.1.1 255.255.255.0
ip address inside 192.168.1.254 255.255.255.0
mtu outside 1500
mtu inside 1500
hostname pix
domain-name mydomain.local
fixup protocol ftp 21
fixup protocol http 80
fixup protocol rsh 514
fixup protocol smtp 25
telnet 0.0.0.0 0.0.0.0 inside
global (outside) 1 200.200.200.14
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 172.17.1.2 1
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
username bob1 password password privilege 15
static (inside,outside) 200.200.200.10 192.168.1.100 netmask 255.255.255.255 0 0
static (inside,outside) 200.200.200.11 192.168.1.111 netmask 255.255.255.255 0 0
conduit permit tcp host 200.200.200.10 eq telnet any
conduit permit tcp host 200.200.200.10 eq ftp any
-- VPN
names
access-list inside_outbound_nat0_acl permit ip any 172.17.2.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 172.17.2.0 255.255.255.0
ip local pool VPNpool 172.17.2.1-172.17.2.254
nat (inside) 0 access-list inside_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup mygroup address-pool VPNpool
vpngroup mygroup dns-server 192.168.1.50 192.168.1.53
vpngroup mygroup wins-server 192.168.1.50 192.168.1.53
vpngroup mygroup default-domain csi
vpngroup mygroup idle-time 1800
vpngroup mygroup password password
dhcpd auto_config outside