Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
324
Views
0
Helpful
4
Replies

Query regarding Cisco documentation

paul
Level 1
Level 1

‎01-04-2005 09:22 AM - edited ‎03-09-2019 09:54 AM

I'm trying to configure a simple VPN between two PIX 501s - one with a static IP and one on a cable modem.

The guide entitled "Configuring PIX to PIX Dynamic-to-Static IPSec with NAT and Cisco VPN Client" at http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml seems like a perfect guide to follow for those of us not too au-fait with Cisco gear.

Pix1

internal - 10.2.2.1

external - 203.1.1.1

Pix2

internal - 10.1.1.1

external - dhcp

So, I'm reading through the configs and all looks fine until i get to these commands on the Pix with the dynamic IP:

global (outside) 1 204.1.1.10-204.1.1.15

route outside 0.0.0.0 0.0.0.0 204.1.1.2 1

Can someone explain those to me. Why are explicit ip addresses being mentioned on the external interface of this Pix? Aren't they supposed to be dynamic?

The other (static) Pix config has the line:

<--- global (outside) 1 203.1.1.10-203.1.1.15

Is the 204.x.x.x a typo?

What if I don't have multiple external ip addresses - what do i put in the "global (outside) x.x.x.x...." bit on the dynamic Pix?

Labels:
0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎01-04-2005 09:03 PM

The global command IP addresses are what outbound traffic will be NAT'd to as they go out the PIX. I guess theoretically if this PIX is getting a dynamic IP address then you wouldn't expect it to use static IP addresses for NAT'ing, but it's also not incorrect.

Normally, on a dynamically addressed PIX you would use the following for your outbound NAT'ing:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

The "interface" keyword tells the PIX to PAT all outbound traffic to whatever IP address is on the outside interface, which is dynamically obtained.

Keep in mind these two commands have nothing specifically to do with VPN access, they're only used for translating addresses from a higher-security interface (inside) to a lower-security (outside).

0 Helpful

paul
Level 1
Level 1
In response to gfullage

‎01-05-2005 06:13 AM

Thank you. Just one more question though - on the Pix with the dynamic IP address, there is another command that references a static IP address I'm not completely sure about:

route outside 0.0.0.0 0.0.0.0 204.1.1.2 1

Am I supposed to substitute the 204.1.1.2 with the address I've assigned to the outside interface of the other Pix or with the 'gateway' address assigned to our T1?

0 Helpful

paul
Level 1
Level 1
In response to gfullage

‎01-05-2005 07:52 AM

Ignore that last reply I made. This is what I'm looking for I think:

ip address outside dhcp setroute

0 Helpful

paul
Level 1
Level 1

‎01-12-2005 12:12 PM

I've just been informed that the remote PIX can initiate the VPN tunnel but can't do anything else like map drives or ping hosts on the other side.

The VPN light comes on and I can look back in the local PIX's log to see an active IPSec/IKE tunnel at the same time.

I know it's something remarkably simple but I can't see it. Can anyone help?

The configs are too large to post here but I'll attach them to this message

Preview file
4 KB
0 Helpful
Customers Also Viewed These Support Documents