Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
517
Views
0
Helpful
5
Replies

Small ASA/PIX question

m-haddad
Level 5
Level 5

‎10-20-2006 11:39 AM - edited ‎02-21-2020 01:15 AM

Hello,

I have ISP--Outside_Router--ASA. THe subnet between the Outside_Router is private subnet 192.168.0.0/30. However, all my NAT/PAT I am using public IPs.

Now we need to setup VPN tunnel from PIX to remote office. How can I do that? I mean since i have private IP address on the outside interface of the PIX I won't be able to terminate the VPN tunnel on the private IP address. Any ideas?

Regards,

0 Helpful
5 Replies 5

m-haddad
Level 5
Level 5

‎10-20-2006 11:39 AM

have ISP--Outside_Router--ASA. THe subnet between the Outside_Router and the PIX outside interface is private subnet 192.168.0.0/30. However, all my NAT/PAT I am using public IPs.

Now we need to setup VPN tunnel from PIX to remote office. How can I do that? I mean since i have private IP address on the outside interface of the PIX I won't be able to terminate the VPN tunnel on the private IP address. Any ideas?

0 Helpful

mgaysek
Level 1
Level 1
In response to m-haddad

‎10-23-2006 07:19 AM

You might be able to perform a nat for the outside interface of the PIX on the router. Generally, nat and VPNS do not play nice. Otherwise you may need to get additionaly public IP addresses from your ISP, so you can assign one to the outside interface of your pix.

0 Helpful

ecouto
Level 1
Level 1
In response to mgaysek

‎10-24-2006 02:27 AM

If you ISP is doing static NAT to the IP of the pix and you use only ESP in IPSec for encryption payload (dont use AH) will work. Just configure as normal crypto and put in the other peer the public IP (NATed by your ISP)

Emilio

0 Helpful

dprincipi
Level 1
Level 1

‎10-21-2006 11:31 AM

I've been asking myself the same question.

As far as I know, there is no equivalent to:

"crypto map MYMAP local-address loopbackX"

on a PIX. (I've only worked with 6.3(5) code and below).

In fact, I "think" that you can't even configure a loopback interface on a PIX.

Also, as far as I know, you couldn't configure a secondary IP on a PIX interface (this secondary IP could have public addressing but still the issue would be how to make this public address to become the local-ID for the crypto map).

If you find the answer please post it here, it seems that many of us share the same question.

Regards;

Diego

0 Helpful

a.hajhamad
Level 4
Level 4
In response to dprincipi

‎10-24-2006 08:10 AM

m-haddad,

You can setup the R. with both IPSec VLAN & NAT. I'm using this at Cisco 877 R. which doint NAT & VPN and connected to ASA with private IPs.

But you need to exclude the traffic from your LAN to the IPSec VPN cliens from the NAT list.

Thanks

Abd Alqader

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card