03-30-2005 08:22 AM - edited 03-05-2019 11:28 AM
Hello *
I'm slightly confused about our new PIX 515. The device must response to three outside IP-Adresses (three different ipsec tunnels). But I can't get to create new interfaces on ethernet0. Either they are created with VLAN ID 1 or PDM complains of two IP-Adresses beeing from the same subnet.
What am I doing wrong here? How can I use three IP-Adresses on "outside"? Or maybe three ipsec tunnel-endpoints with different IP-Adresses?
Or is it really impossible to have more that one IP-Adress on an interface? I was assuming it is as easy as with Linux or Windows.
Sebastian Koerner
03-31-2005 12:17 AM
You can use more than one ip adress on the outside interface. In fact, you may use all adresses that fall within the specified subnet. You can use these adresses for NAT or static-xlate definitions.
There is however no reason to use different adresses to terminate vpn tunnels. Normally, you should terminate them all on the configured outside adress.
Regards,
Leo
03-31-2005 12:45 AM
Hell Leo,
thanks for your reply. I read from your post that the PIX515 will accept all Adresses from the assigned pool on the interface and use them for Address-Translation. Maybe I can also receive ipsec packets to these adresses and terminate the VPN here. But I think the PIX515 will send ipsec packets with the IP-address from the physical interface, right? Then I HAVE to use the interface IP-Address to terminate the VPN because the other peer will not accept packets from a different Address? (Means: I can't configure a pool-Address to be the IPSEC Peer-Address)
Best regards
Sebastian Koerner
03-31-2005 02:16 AM
What I said was that you can use all adresses in the subnet that you are on. When this is a /30, there is not too much available, on a /29 or less you would have some adresses available. Some of these adresses can be allocated to an IP adress pool. You can also use them for port forwarding, for example to make your webserver available to the outside world. This is done with the -static- command.
By using the (required) command: -isakmp enable outside-, you state that you are using the outside interface for ipsec. You may tell a peer to accept more than one adress by using a wildcard in the
isakmp key ******** address x.x.x.x netmask 255.255.255.x
but still you should list the correct peer in the crypto map: crypto map central 10 set peer
Regards,
Leo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide