1. Home
  2. Cisco Systems
  3. vpn client on pix dmz interface

vpn client on pix dmz interface

Hello,

I am having a problem with terminating VPN client on pix 515E (Version

6.3(4)) on dmz interface that has a public IP address. I allowed esp and udp 500 (isakmp) from outside int to dmz (I even tested with everything allowed). In front of the pix I have internet router, and outside int has private address. That's reason why I can't terminate VPN client on outside int, but it shouldn't be different for dmz, isn't it?

Problem is am I not having any response from dmz int, it doesn't start negotiation at all. Any ideas? I will post the config for more details, but it is a really strange that I am not getting anything.

Thanks in advance, I would very appreciate if someone can give me any idea how to solve this.

Ivana

Reply to
Ivana Kvaka
Loading thread data ...

I believe that you are trying to do something that cannot be done, at least not with a PIX OS version below 7.0. If you bind your isakmp configuration and crypto map to the dmz interface the PIX will expect those things from the wire, not through the PIX.

By the way: why don't you use the outside interface? A private IP address is not a problem. I have one running with a private address and it is working just fine. The only problem I have found is that depending on your NAT settings you may not be able to initiate tunnels from that PIX. And that requires a very complicated NAT, multi-homing, load balancing, fault tolerant setup with a Nortel Alteon Link Optimizer.

Reply to
Jyri Korhonen

Yes, you are right...how did you manage to do with private address on outside int? Do you have internet router in front of the pix that does port forwarding to pix outside int?

Thanks, Ivana

Reply to
Ivana Kvaka

Well, basically yes. I have that Nortel ALO box I mentioned in front of the PIX and four internet lines connected to the ALO. This makes me able to use any of those lines to initiate a VPN tunnel to the PIX. Sort of poor man's failover, but then again line failures are far more common than PIX failures.

Reply to
Jyri Korhonen

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.