VPN and global IP

[xdeq]

|
| 192.168.1.254
PIX global (outside) 1 200.200.200.14
| 172.17.1.1
|
| 172.17.1.2
ISP router
| 123.123.123.1
|
internet

I use have PIX 506E and VPN Client 4.0.1
I can establisch vpn connection when use ip address of external interface (172.17.1.1).
But it does not work when I try to use 200.200.200.14.



write erase

enable
config terminal

enable password password
passwd password

interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
ip address outside 172.17.1.1 255.255.255.0
ip address inside 192.168.1.254 255.255.255.0
mtu outside 1500
mtu inside 1500


hostname pix
domain-name mydomain.local

fixup protocol ftp 21
fixup protocol http 80
fixup protocol rsh 514
fixup protocol smtp 25

telnet 0.0.0.0 0.0.0.0 inside

global (outside) 1 200.200.200.14
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 172.17.1.2 1

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL

username bob1 password password privilege 15

static (inside,outside) 200.200.200.10 192.168.1.100 netmask 255.255.255.255 0 0
static (inside,outside) 200.200.200.11 192.168.1.111 netmask 255.255.255.255 0 0
conduit permit tcp host 200.200.200.10 eq telnet any
conduit permit tcp host 200.200.200.10 eq ftp any


-- VPN

names
access-list inside_outbound_nat0_acl permit ip any 172.17.2.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 172.17.2.0 255.255.255.0

ip local pool VPNpool 172.17.2.1-172.17.2.254
nat (inside) 0 access-list inside_outbound_nat0_acl


sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup mygroup address-pool VPNpool
vpngroup mygroup dns-server 192.168.1.50 192.168.1.53
vpngroup mygroup wins-server 192.168.1.50 192.168.1.53
vpngroup mygroup default-domain csi
vpngroup mygroup idle-time 1800
vpngroup mygroup password password

dhcpd auto_config outside

 

[xdeq]

P.S. my client computer is connected
to 172.17.1.0 network
IP:172.17.1.100
gateway:172.17.1.1

static mappings work fine
telnt 200.200.200.10
ftp 200.200.200.10

the idea is that client will connect from the internet so I'd like to use public address 200.200.200.14 rather then
ip on outside interface.

Ragards
Robert

 

[308win]

Looks like a routing/configuration issue with your ISP. Is your ISP routing 200.200.200.0 onto the segment between your firewall and the ISP's router. Right now it looks like you are using a private address between you and the ISP. You need to have them turn NAT off on that router and route the real address's in

The simpliest configuration would have the ISP router at 200.200.200.1, and your firewall at 200.200.200.2

 

[BuckWeet]

to my knowledge, you can't have global IP's that are not in a subnet that is defined on the interface you're applying that IP to..

so since you're outside interface is 172.x.x.x you cannot have a global of 200.x.x.x on that interface..


BuckWeet

 

[xdeq]

Guys
thank you for the reposnse.

308win
this is not about routing from isp.
because I am connected to the network 172.17.1.0
I can ftp to 200.x.x.10
so that means that static works fine even if the interface ip is 172.17.1.1.

I believe that after I do
add route 200.x.x.x mask 255.255.255.248 172.17.1.0
on the perimeter router
traffic from internet will be delivered to the pix.


BuckWeet
Book Cisco(R) PIX (TM) Firewalls, by Richard Deal
describes such configurations.
they call it perimeter router and use private ips on this segment.
however when they get to the vpn,
there is not such example.

Nat and static routes works fine with the 172.17.1.1 on interface and global 200.x.x.x
however VPN works only when I connect to 172.17.1.1 rather then 200.x.x.x.

 

[xdeq]

and one more thing

I agree with BuckWeet that having
"ISP router at 200.200.200.1, and your firewall at 200.200.200.2"
would solve the problem.
but in this case I have to dedicate one public address on
ISP router. and can not use it on PIX for static any more.

Robert

 

[308win]

-- route 200.x.x.x mask 255.255.255.248 172.17.1.0

I think you want to route it at the PIX, as in 172.17.1.1, (and your ISP has built the route for 200.x.y.z via 123.123.123.1)

 

[mbilgrav]

you can not connect to a global IP address at all.
VPN must terminate on a PIX interface, hence you must use a IP for a PIX inteface.

If you need is a public IP, the you must have a public IP on your PIX -OR- if you run NAT at the ISP router, you must use the WAN ip of the ISP router, and configure that router to have a default nat forwarding rule, that forwards everything to the private IP of the pix outside.
In IOS it's called extendable NAT.

HTH
Martin Bilgrav