Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
413
Views
5
Helpful
2
Replies

PIX 525 IPSEC Multiple Interfaces

gresko36
Level 1
Level 1

‎11-17-2004 07:24 PM - edited ‎02-21-2020 01:27 PM

On my outside interface is a t1. On intf3 I have a cable modem. Is it possible to have ipsec connections terminate to both interfaces? Ex. I would like certain connections to use the outside interface and others to use intf3. I have tried setting up a ipsec connection on intf3 and when I watch the debug on the remote side it show the connection initiating from the outside address. Any hints or a good example???

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎11-17-2004 09:46 PM

You can do this, but you're probably going to run into routing issues if these are VPN client connections.

Enabling/configuring crypto on two interfaces is as simple as creating two crypto maps and applying one on the outside int and one on the intf3. You also need to make sure you enable isakmp on both interfaces.

The problem is that let's say you have a VPN device on the Internet connecting to the crypto map on intf3. No problem, until the PIX tries to send traffic back over this tunnel. The PIX is first of all going to check its routing table to see what interface it needs to send this packet. Usually the default route points out the outside int, so that's where the PIX sends it in lieu of a more specific route. The PIX then sees there's a crypto map applied to the outside int, it checks if the packet needs to be encrypted based on the crypto map applied ONLY to this interface. It doesn't match any of the paramaters of the crypto map, and so the packet is sent out in the clear to the Internet. From behind your remote VPN device you never get a response back to your traffic.

Now, if these are all static remote devices with static IP addresses, you can add static routes in the PIX for their IP addresses (and for their internal subnets) and point them out the appropriate interface (either outside or intf3). Basically whatever interface the traffic comes in on, or said another way, whichever interface the VPN tunnel terminates on, you have to ensure that the return traffic goes back out the same interface. Only then will it hit the same crypto map and be encrypted.

If these are VPN client connections, then you're in trouble because you're not going to know what IP address they're going to have, and therefore you can't add static routes for them.

If you have a combination of VPN client and static LAN-to-LAN tunnels, then this will work by having all the VPN clients connect to the outside interface IP, and having all the static devices point to the intf3 address. You can then have static routes for all the static devices pointing out intf3, and a default route pointing out the outside int that the VPN clients traffic will use. There's even a sample config of this here:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080103ed0.shtml

In particular look at the config of the PIX called "snow".

sachinraja
Level 9
Level 9
In response to gfullage

‎11-18-2004 12:02 AM

Great explanation Gfullage...

0 Helpful
Customers Also Viewed These Support Documents