Re: vpn connection

carl_townshend · ‎08-10-2006

Hi, another company is putting a vpn device into our dmz, it has having an external address on it, the external addresses are all routed to our pix firewall, my question is can we put this vpn device on an external address sitting off the back of the pix firewall ?

pkhatri · ‎08-10-2006

Hi Carl,

That is certainly possible. Just configure your PIX so that it does not translate the external address that belongs to this vpn device.

Hope that helps - pls do rate the post if it does.

Paresh

carl_townshend · ‎08-10-2006

Thanks Paresh, I gather the interface on this pix would also have an ip on the same subnet as the external ip's , am i right ?

The company have asked us to nat this address to internal , is this right, I thought vpn devices would always have an external (real) ip address and not natted, what is the normal setup ?

thanks

Carl

pkhatri · ‎08-10-2006

That's correct.. the PIX interface would have to be in the same subnet.

While it is more common to use public IPs for VPN devices, you can certainly also use NAT'ed addresses, by using NAT traversal.

Here's a link that describes NAT traversal on the PIX:

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278c.html#wp1057446

Hope that helps - pls do rate the post if it does.

Paresh

carl_townshend · ‎08-10-2006

would this vpn device of his have an external card and an internal card or would it just have 1 and have to reach internal networks via the pix ?

pkhatri · ‎08-10-2006

I would imagine that it would need at least one internal and one external interface...

PAresh