Additional Static IP address not passing through the PIX 501 to the inside server
Recently needed to setup an additional external IP address to allow access to a server on the inside of our network. I used static nat entries and also ACLs in hopes the traffic would work as expected. I cannot get to the internal server from the outside using the new IP address. Any ideas? The new server on the inside is 192.168.0.25 and on the outside the public IP address is xx.xx.160.179.
PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 4096
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.101 exchange1
name 192.168.0.100 admin1
name 192.168.1.0 JuneHome
name 192.168.0.25 Voicemail
name xx.xx.160.179 Voicemail1
access-list webinside permit tcp any any eq www
access-list webinside permit ip any any
access-list webinside permit udp any any
access-list webinside permit tcp any any
access-list webinside permit icmp any any
access-list outside_in permit ip any any
access-list outside_in permit tcp any any
access-list outside_in permit udp any any
access-list outside_in permit icmp any any
access-list outside_in permit tcp any eq www any eq www
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq pop3
access-list outside_in permit tcp any host xx.xx.160.178 eq 3389
access-list outside_in permit udp any host xx.xx.160.178 eq 3389
access-list outside_in permit tcp any host Voicemail1 eq www
access-list vpntest_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any
access-list vpntest_splitTunnelAcl permit ip JuneHome 255.255.255.0 any
pager lines 24
logging on
logging console critical
logging buffered errors
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.160.178 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool remote 192.168.0.50-192.168.0.55
ip local pool test 192.168.50.10-192.168.50.15
pdm location 192.168.0.1 255.255.255.255 inside
pdm location exchange1 255.255.255.255 inside
pdm location admin1 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.0 inside
pdm location JuneHome 255.255.255.0 outside
pdm location Voicemail 255.255.255.255 inside
pdm location Voicemail1 255.255.255.255 outside
pdm logging alerts 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp Voicemail1 www Voicemail www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp exchange1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www exchange1 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5633 exchange1 5633 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5634 exchange1 5634 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5634 exchange1 5634 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5633 exchange1 5633 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 exchange1 pop3 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 3389 admin1 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 admin1 3389 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group webinside in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xx.160.177 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group2
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer xx.xx.xx.xx
crypto map outside_map 20 set transform-set ESP-3DES-MD5
! Incomplete
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xx.xx.198.162 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpntest address-pool remote
vpngroup vpntest dns-server admin1 exchange1
vpngroup vpntest default-domain arrow-metals
vpngroup vpntest split-tunnel vpntest_splitTunnelAcl
vpngroup vpntest pfs
vpngroup vpntest idle-time 1800
vpngroup vpntest password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 10
ssh xx.xx.xx.xx 255.255.255.255 outside
ssh timeout 5
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750ASKER
It looks like line 70 already has a version of this...
static (inside,outside) tcp Voicemail1 www Voicemail www netmask 255.255.255.255 0 0
Voicemail1 is x.x.160.179 and Voicemail is 192.168.0.25. I just have it passing port 80 traffic through though.
static (inside,outside) tcp Voicemail1 www Voicemail www netmask 255.255.255.255 0 0
Voicemail1 is x.x.160.179 and Voicemail is 192.168.0.25. I just have it passing port 80 traffic through though.
What are you trying to do with the voicemail?
Unless you realy need that public IP for other applications on different ports, try NATing the whole IP address (take out the "www" quailifier in the command), then use access-lists to allow only the ports you need.
I know some Voicemail configuration websites (like for the Mitel Nupoint Messenger), use https instead of regular http. That would be a different port number (443)
I know some Voicemail configuration websites (like for the Mitel Nupoint Messenger), use https instead of regular http. That would be a different port number (443)
ASKER
I have checked on the inside of the firewall, 192.168.0.25, is accessible via http and is not enabled for https. The only thing being done with this voicemail system is allowing web access for the vendor to remotely support their product. I have tried the NATing the whole IP address with the same results.
try opening up the whole IP address to test without the "www" qualifier. Test it. If it works, then there is a port that needs to be opened up
What AdamComp means is to run a command like this:
static (inside,outside) Voicemail1 Voicemail netmask 255.255.255.255 0 0
And to open all ports on the ACL (be careful!!!) use this:
access-list outside_in permit ip any host Voicemail1
Cheers! Let me know if you have any questions!
static (inside,outside) Voicemail1 Voicemail netmask 255.255.255.255 0 0
And to open all ports on the ACL (be careful!!!) use this:
access-list outside_in permit ip any host Voicemail1
Cheers! Let me know if you have any questions!
ASKER
I have entered both and I am having the same result. The website that is internal on 192.168.0.25 is not accessible from the Internet on 97.86.160.179. There is got to be something easy that we are not seeing.
What kind of voicemail is it?
Not sure what type of voicemail system it is, all I know is that on the inside of the network, 192.168.0.25 on port 80 a website comes up and asks for credentials. Just curious, why do you ask?
That's interesting.... Did you open the ACL?
Yes I did. I only added to my existing list that was there already.
The reason I ask, is I work on telephone systems and I might be able to ask around about it. I am trained in Mitel and Inter-tel, but I've got friends who have worked on nortel and avaya
techeternal, are you kurtb or another expert/
Hmmm... can you please post your current config so I can see it with changes?
Hmmm... can you please post your current config so I can see it with changes?
Techeternal is also Kurtb. I posted from the wrong acct originally. Below is the current config in use.
PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 4096
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.101 exchange1
name 192.168.0.100 admin1
name 192.168.1.0 JuneHome
name 192.168.0.25 Voicemail
access-list webinside permit tcp any any eq www
access-list webinside permit ip any any
access-list webinside permit udp any any
access-list webinside permit tcp any any
access-list webinside permit icmp any any
access-list outside_in permit ip any any
access-list outside_in permit tcp any any
access-list outside_in permit udp any any
access-list outside_in permit icmp any any
access-list outside_in permit tcp any eq www any eq www
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq pop3
access-list outside_in permit tcp any host xx.xx.160.178 eq 3389
access-list outside_in permit udp any host xx.xx.160.178 eq 3389
access-list outside_in permit ip any host xx.xx.160.179
access-list outside_in permit udp any host xx.xx.160.179 eq www
pager lines 24
logging on
logging console critical
logging buffered errors
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.160.178 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool remote 192.168.0.50-192.168.0.55
ip local pool test 192.168.50.10-192.168.50.1
pdm location 192.168.0.1 255.255.255.255 inside
pdm location exchange1 255.255.255.255 inside
pdm location admin1 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.0 inside
pdm location JuneHome 255.255.255.0 outside
pdm location Voicemail 255.255.255.255 inside
pdm location 97.86.160.179 255.255.255.255 outside
pdm logging alerts 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp exchange1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www exchange1 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5633 exchange1 5633 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5634 exchange1 5634 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5634 exchange1 5634 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5633 exchange1 5633 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 exchange1 pop3 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 3389 admin1 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 admin1 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.160.179 www Voicemail www netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.160.179 Voicemail netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group webinside in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xx.160.177 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group2
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer 24.240.198.162
crypto map outside_map 20 set transform-set ESP-3DES-MD5
! Incomplete
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpntest address-pool remote
vpngroup vpntest dns-server admin1 exchange1
vpngroup vpntest default-domain
vpngroup vpntest pfs
vpngroup vpntest idle-time 1800
vpngroup vpntest password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 10
ssh timeout 5
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
vpnclient vpngroup test password ********
terminal width 80
Cryptochecksum:be784a53c3f
: end
arrowoffice#
PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 4096
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.101 exchange1
name 192.168.0.100 admin1
name 192.168.1.0 JuneHome
name 192.168.0.25 Voicemail
access-list webinside permit tcp any any eq www
access-list webinside permit ip any any
access-list webinside permit udp any any
access-list webinside permit tcp any any
access-list webinside permit icmp any any
access-list outside_in permit ip any any
access-list outside_in permit tcp any any
access-list outside_in permit udp any any
access-list outside_in permit icmp any any
access-list outside_in permit tcp any eq www any eq www
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq pop3
access-list outside_in permit tcp any host xx.xx.160.178 eq 3389
access-list outside_in permit udp any host xx.xx.160.178 eq 3389
access-list outside_in permit ip any host xx.xx.160.179
access-list outside_in permit udp any host xx.xx.160.179 eq www
pager lines 24
logging on
logging console critical
logging buffered errors
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.160.178 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool remote 192.168.0.50-192.168.0.55
ip local pool test 192.168.50.10-192.168.50.1
pdm location 192.168.0.1 255.255.255.255 inside
pdm location exchange1 255.255.255.255 inside
pdm location admin1 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.0 inside
pdm location JuneHome 255.255.255.0 outside
pdm location Voicemail 255.255.255.255 inside
pdm location 97.86.160.179 255.255.255.255 outside
pdm logging alerts 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp exchange1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www exchange1 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5633 exchange1 5633 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5634 exchange1 5634 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5634 exchange1 5634 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5633 exchange1 5633 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 exchange1 pop3 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 3389 admin1 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 admin1 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.160.179 www Voicemail www netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.160.179 Voicemail netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group webinside in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xx.160.177 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group2
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer 24.240.198.162
crypto map outside_map 20 set transform-set ESP-3DES-MD5
! Incomplete
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpntest address-pool remote
vpngroup vpntest dns-server admin1 exchange1
vpngroup vpntest default-domain
vpngroup vpntest pfs
vpngroup vpntest idle-time 1800
vpngroup vpntest password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 10
ssh timeout 5
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
vpnclient vpngroup test password ********
terminal width 80
Cryptochecksum:be784a53c3f
: end
arrowoffice#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Run:
no static (inside,outside) xx.xx.160.179 Voicemail netmask 255.255.255.255 0 0
This will only translate port 80 for the web server. You must create a new static for each port you want to use. This allows you to use multiple servers on one static IP address. It's called PAT.
Let me know how this works!
Cheers!
no static (inside,outside) xx.xx.160.179 Voicemail netmask 255.255.255.255 0 0
This will only translate port 80 for the web server. You must create a new static for each port you want to use. This allows you to use multiple servers on one static IP address. It's called PAT.
Let me know how this works!
Cheers!
I have removed the below statement. Still no change.
no static (inside,outside) tcp xx.xx.160.179 www Voicemail www netmask 255.255.255.255 0 0
no static (inside,outside) tcp xx.xx.160.179 www Voicemail www netmask 255.255.255.255 0 0
I have also tried re-adding :
static (inside,outside) tcp xx.xx.160.179 www Voicemail www netmask 255.255.255.255 0 0
and then removing:
static (inside,outside) 97.86.160.179 Voicemail netmask 255.255.255.255 0 0
still no change
static (inside,outside) tcp xx.xx.160.179 www Voicemail www netmask 255.255.255.255 0 0
and then removing:
static (inside,outside) 97.86.160.179 Voicemail netmask 255.255.255.255 0 0
still no change
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Here is the current running config.
Hopefully someone sees something I have overlooked.
Hopefully someone sees something I have overlooked.
PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname arrowoffice
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 4096
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.101 exchange1
name 192.168.0.100 admin1
name 192.168.1.0 JuneHome
name 192.168.0.25 Voicemail
access-list webinside permit tcp any any eq www
access-list webinside permit ip any any
access-list webinside permit udp any any
access-list webinside permit tcp any any
access-list webinside permit icmp any any
access-list outside_in permit ip any any
access-list outside_in permit tcp any any
access-list outside_in permit udp any any
access-list outside_in permit icmp any any
access-list outside_in permit tcp any eq www any eq www
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq pop3
access-list outside_in permit tcp any host 97.86.160.178 eq 3389
access-list outside_in permit udp any host 97.86.160.178 eq 3389
access-list outside_in permit ip any host 97.86.160.179
access-list outside_in permit udp any host 97.86.160.179 eq www
pager lines 24
logging on
logging console critical
logging buffered errors
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.160.178 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool remote 192.168.0.50-192.168.0.55
ip local pool test 192.168.50.10-192.168.50.15
pdm location 192.168.0.1 255.255.255.255 inside
pdm location exchange1 255.255.255.255 inside
pdm location admin1 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.0 inside
pdm location JuneHome 255.255.255.0 outside
pdm location Voicemail 255.255.255.255 inside
pdm logging alerts 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp exchange1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www exchange1 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5633 exchange1 5633 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5634 exchange1 5634 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5634 exchange1 5634 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5633 exchange1 5633 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 exchange1 pop3 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 3389 admin1 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 admin1 3389 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.160.179 Voicemail netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group webinside in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xx.160.177 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group2
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer xx.xx.xx.xx
crypto map outside_map 20 set transform-set ESP-3DES-MD5
! Incomplete
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpntest address-pool remote
vpngroup vpntest dns-server admin1 exchange1
vpngroup vpntest default-domain arrow-metals
vpngroup vpntest pfs
vpngroup vpntest idle-time 1800
vpngroup vpntest password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 10
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80ASKER
The final resolution for this was to purchase an ASA.
Sorry for the delay of a response.
Thank you for your assistance with this.
Sorry for the delay of a response.
Thank you for your assistance with this.
so:
static (inside,outside) xx.xx.160.179 192.168.0.25 netmask 255.255.255.255
Of course you need to make your access-list as well to allow appropriate traffic