PIX VPN using external addresses|
|
|
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||
|
Posted by Nate on September 6, 2005, 8:33 pm
Please log in for more thread options
IPSec tunnels. Can someone give me the basic PIX config differences for using the external IPs as opposed to the internals? All of our current tunnels use the internal IPs and several attempts at using the externals haven't gone very well. Thanks in advance. | |||||||||||||
|
Posted by Heart Key on September 6, 2005, 8:56 pm
Please log in for more thread options M.Ammoura | |||||||||||||
|
Posted by Walter Roberson on September 6, 2005, 9:25 pm
Please log in for more thread options :We have a company that has a policy against using internal IPs in their
:IPSec tunnels. Can someone give me the basic PIX config differences :for using the external IPs as opposed to the internals? All of our :current tunnels use the internal IPs and several attempts at using the :externals haven't gone very well. It's not so bad, really. The first thing is to reconfigure your ACLs to match the traffic to the remote system, in the usual way, just as if it were not tunneled. You can skip this step if you are using sysopt connection permit-ipsec to bypass interface ACL checking for IPSec. Then put appropriate global and nat statements, or static statements. You might use "policy nat" or "policy static" if you want the translation to be distinct for the VPN. Then you ensure that the remote network is not matched by your nat 0 access-list ACL. Next is to configure the ACL for the crypto map match address clause so that the "source" address is the *post-translation* address -- the address the PIX will translate outgoing packets -into-. Set the "destination" address in that ACL to be the pre-translation remote IP -- the IP as would be in flight towards you before it hit your PIX's interface. This is, to be clear, almost always the same as the "just plain" remote IP, and the distinction between whether it is pre-translation or post-translation only matters if you are doing "reverse nat" [or in the odd situation where your VPN is connected to an interface with a -higher- security level than your inside interface.] If you don't know what "reverse nat" is, then what remember is that the crypto map match address ACL "destination" must be in terms of the external IP addresses of the remote system, not the internal addresses. [Normally it would use the internal addresses, but you're deliberately not using internal addresses ;-) .] Once the above is done, clear the ipsec sa's and you should be in business. There's a lot of flexibility in the order you do the steps; the order I chose above was selected to try to mimimize vulnerability windows, but if the vultures aren't waiting at the gate then the order almost doesn't matter. -- "Never install telephone wiring during a lightning storm." -- Linksys | |||||||||||||
| Similar Threads | Posted |
| PIX VPN using external addresses | September 6, 2005, 8:33 pm |
| two external ip addresses | March 8, 2008, 12:42 pm |
| Howto hit an external ip with VPN | September 27, 2005, 4:11 pm |
| PIX 515 Switch 8 External IPs | October 24, 2005, 3:37 pm |
| Map external IP as internal IP? | November 3, 2005, 11:08 am |
| PIX with two external Netowrks | January 20, 2006, 9:22 am |
| PA-MC-T3 vs. External MUX on 7206VXR | July 27, 2006, 9:37 am |
| On internal IP to many external IPs | August 22, 2006, 6:03 am |
| external vlan | March 19, 2007, 6:02 pm |
| Multiple external IPs on SOHO97 | November 10, 2005, 6:29 am |
| Allow all traffic from one external IP inside | February 14, 2006, 2:42 pm |
| ACS not authenticating with external database | March 3, 2006, 3:22 pm |
| Internal Web Server, External DNS | November 16, 2006, 1:48 pm |
| connectivity via external modems | December 27, 2006, 11:24 pm |
| Same external IP Address for two devices | March 1, 2007, 12:32 pm |
|
Home Cabling GuideFinally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Learn More |