Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

web dmz NAT and VPN on single IP interface

Status
Not open for further replies.

drumhrd

Technical User
Jun 6, 2010
3
US
Hello all

I am attempting to setup a pix 515e running 8.0(3).

My topology is this.

OUTSIDE, INSIDE, DMZ

I also need client vpn.

I only have 1 External (internet routeable) IP address.

I have my outside interface setup with this IP.

I need to be able to accept traffic on my outside interface on port 443 and forward to my DMZ server. I have been able to do this with success but I get lost functionality of the firewall.


static (dmz,outside) interface access-list web-server

WARNING: static redirecting all traffics at outside interface;
WARNING: all services terminating at outside interface are disabled.

if I remove this static I can use my configured VPN solution, but with the static in place, which I need to get my web traffic to my server, my VPN breaks.

I am wondering if there is some way to policy nat this so that I can have my cake and eat it too.

I need

internetuser->webrequest->pix->webserver:443
internetuser->vpnclient->pix->internalnetwork

If I had another Internet address this would be a no brainer,but with limited resources...ya..it's difficult.

thanks for the help!

 
post your scrubbed config

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Sorry my config is as follows

interface Ethernet0
speed 100
duplex full
shutdown
nameif outside
security-level 0
ip address 69.92.82.203 255.255.255.128
no shut
!
interface Ethernet1
speed 100
duplex full
shutdown
nameif inside
security-level 100
ip address 10.0.2.1 255.255.255.0
no shut
!
interface Ethernet2
speed 100
duplex full
shutdown
nameif dmz
security-level 30
ip address 10.0.1.1 255.255.255.0
no shut
!

global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 69.92.82.129 1





access-list 0 extended permit tcp any host 69.92.82.203 eq www
access-list 0 extended permit tcp any host 69.92.82.203 eq ssh
access-list 0 extended permit icmp any host 69.92.82.203

static (dmz,outside) interface 10.0.1.185 netmask 255.255.255.255
access-group 0 in interface outside




isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp enable outside

ip local pool testpool 10.0.3.1-10.0.3.100

username tony password xxxxxxxx

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
tunnel-group testgroup type ipsec-ra
tunnel-group testgroup general-attributes
address-pool testpool
tunnel-group testgroup ipsec-attributes

pre-shared-key XXXXXXXX

crypto dynamic-map dyn1 1 set transform-set FirstSet

crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside



when I put in the static command here is what I get

static (dmz,outside) interface 10.0.1.185 netmask 255.2$
WARNING: static redirecting all traffics at outside interface;
WARNING: all services terminating at outside interface are disabled.

after which I loose my vpn capabilities.


 
ok, you need to do something like this:
Code:
no access-group 0 in interface outside
no static (dmz,outside) interface 10.0.1.185 netmask 255.255.255.255 

access-list outside_access_in extended permit tcp any host 69.92.82.203 eq www 
access-list outside_access_in extended permit any host 69.92.82.203 eq ssh 
access-list outside_access_in extended permit any host 69.92.82.203 eq https

access-list nat0_inside extended permit ip 10.0.2.0 255.255.255.0 10.0.3.0 255.255.255.0

access-group outside_access_in in interface outside

nat (inside) 0 access-list nat0_inside

static (dmz,outside) tcp interface [URL unfurl="true"]www 10.0.1.185[/URL] [URL unfurl="true"]www netmask[/URL] 255.255.255.255
static (dmz,outside) tcp interface ssh 10.0.1.185 ssh netmask 255.255.255.255
static (dmz,outside) tcp interface https 10.0.1.185 https netmask 255.255.255.255

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
well that works..I can vpn in and use the external IP..but now my vpn users cannot access the servers in the dmz.
 
then you need to add:
Code:
access-list nat0_dmz extended permit ip 10.0.1.0 255.255.255.0 10.0.3.0 255.255.255.0

nat (dmz) 0 access-list nat0_dmz

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top