cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
416
Views
0
Helpful
3
Replies

PIX 515 no two IP-adresses on outside possible ?

Hello *

I'm slightly confused about our new PIX 515. The device must response to three outside IP-Adresses (three different ipsec tunnels). But I can't get to create new interfaces on ethernet0. Either they are created with VLAN ID 1 or PDM complains of two IP-Adresses beeing from the same subnet.

What am I doing wrong here? How can I use three IP-Adresses on "outside"? Or maybe three ipsec tunnel-endpoints with different IP-Adresses?

Or is it really impossible to have more that one IP-Adress on an interface? I was assuming it is as easy as with Linux or Windows.

Sebastian Koerner

3 Replies 3

lgijssel
Level 9
Level 9

You can use more than one ip adress on the outside interface. In fact, you may use all adresses that fall within the specified subnet. You can use these adresses for NAT or static-xlate definitions.

There is however no reason to use different adresses to terminate vpn tunnels. Normally, you should terminate them all on the configured outside adress.

Regards,

Leo

Hell Leo,

thanks for your reply. I read from your post that the PIX515 will accept all Adresses from the assigned pool on the interface and use them for Address-Translation. Maybe I can also receive ipsec packets to these adresses and terminate the VPN here. But I think the PIX515 will send ipsec packets with the IP-address from the physical interface, right? Then I HAVE to use the interface IP-Address to terminate the VPN because the other peer will not accept packets from a different Address? (Means: I can't configure a pool-Address to be the IPSEC Peer-Address)

Best regards

Sebastian Koerner

What I said was that you can use all adresses in the subnet that you are on. When this is a /30, there is not too much available, on a /29 or less you would have some adresses available. Some of these adresses can be allocated to an IP adress pool. You can also use them for port forwarding, for example to make your webserver available to the outside world. This is done with the -static- command.

By using the (required) command: -isakmp enable outside-, you state that you are using the outside interface for ipsec. You may tell a peer to accept more than one adress by using a wildcard in the

isakmp key ******** address x.x.x.x netmask 255.255.255.x

but still you should list the correct peer in the crypto map: crypto map central 10 set peer

Regards,

Leo

Review Cisco Networking for a $25 gift card