10-21-2008 06:26 PM - edited 03-11-2019 07:00 AM
I'm trying to set up a site to site PIX VPN to an IP address that isn't the exact IP address of the outside interface. I get the following error in the syslog and the VPN cannot connect:
Message=<163>Oct 21 2008 21:14:26: %PIX-3-106011: Deny inbound (No xlate) udp src outside:71.xxx.xxx.xxx/500 dst outside:99.xxx.xxx.xx5/500
I cannot figure out why the error lists both interfaces as Outside even though the PIX should be terminating the VPN.
TIA
-Brian
Solved! Go to Solution.
10-22-2008 04:12 AM
It wont work because the crypto map is applied ON the outside interface. You MIGHT be able to pull this off with some port redirection but I've never done this.
Or terminate VPN on something at the back and do one to one nat pointing to .149 for that vpn endpoint. You can also just put the .149 n the outside interface.
REgards
Farrukh
10-21-2008 10:04 PM
What do you mean by "isn't the exact IP address"?
Are you trying to establish/terminate a VPN on 'another' interface on the PIX? while 'coming through' the 'outside' interface? If so..it won't work!
Regards
Farrukh
10-22-2008 04:07 AM
We have five static IP addresses with statics to allow them to access specific servers.
Our IP address on the PIX is:
ip address outside 99.xxx.xxx.145 255.255.255.248
VPN is set up as:
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
With the clients setting the peer. If they use the IP address of the outside interface, 99.xxx.xxx.145 they can connect, but if they use 99.xxx.xxx.149 as has been requested they cannot connect, and we see the error in the syslog.
Thanks.
10-22-2008 04:12 AM
It wont work because the crypto map is applied ON the outside interface. You MIGHT be able to pull this off with some port redirection but I've never done this.
Or terminate VPN on something at the back and do one to one nat pointing to .149 for that vpn endpoint. You can also just put the .149 n the outside interface.
REgards
Farrukh
10-22-2008 04:36 AM
I'll probably just change the IP address of the outside interface then. Thanks!
10-22-2008 04:57 AM
Ok thats great, please let me know how it goes.
Please rate if helpful.
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide