1. Home
  2. Cisco Systems
  3. Going on PIX questions.

Going on PIX questions.

Say I have a remote site, chosen to be the VPN endpoint with my PIX.

Say my PIX has 2 of its interfaces (A e B) with IPs belonging to 2 different ISP, so different ranges. Say A one is the main interface (the workstations behind the inside are NAT'd using its IP) and the web server is reachable with the IP of that interface

Say I want to terminate VPN we talked above on interface B. Will the remote site be able to reach the web server? Think about the set of rules needed by the PIX to build the VPN between the internal LAN and the remote LAN and answer the question.

IMHO the web server won't be reached.

What do you think?

Alex.

Reply to
AM
Loading thread data ...

Hi,

The question is enough ambiguous! are you talking about having 2 interfaces to the "outside world" (internet)? If you do it mean that you have a serious security violation in your topology, the only interface through which the PIX must communicate with the Internet is the outside int. (with security level=0).

In this case you can manage these 2 links to # ISPs through a border router with an Ethernet int. connected to the PIX outside interface, then you can do what you want: terminate a VPN tunnel in the PIX, and hide your internal LAN with the outside PIX int. ip, and have access to your web server using one-to-one static translation.

Reply to
AJN

OK, apart security issues, will it work or it won't?

Thanks,

Alex

Reply to
AM

What I can say is that you can use outside interface ip to hide your LAN (as dynamic PAT in "global" command) and at the same time use static PAT (only static PAT) to access your internal server.

And about VPN end point, as you will only receive requests to your internal server, you can create a crypto acl (in the remote) in which you specify traffic from remote LAN to your server local ip and your PIX global ip as IKE peer address, In you PIX you create mirrored VPN policy to enable server responses.

Reply to
AJN

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.