PIX VPN termination

Discussion in 'Cisco' started by Cen, Sep 2, 2005.

  1. Cen

    Cen Guest

    Hi,
    I have a few ranges of public IP addresses.
    Say, for example, 202.1.1.1 - 202.1.1.4, 203.1.1.1-203.1.1.4
    A PIX is used as edge to the Internet. My questions are:
    - how do I utilise the 2 IP addresses, since they're from different subnets.
    If I assign the PIX outside interface as 202.1.1.1, only the 202.x.x.x range
    will be used, leaving 203.x.x.x unused.
    - is it possible to have VPN terminated using multiple IP addresses? What if
    i want users from the Internet to VPN into 202.1.1.1 and 202.1.1.3?

    TIA.
    Cen, Sep 2, 2005
    #1
    1. Advertising

  2. In article <df819m$11v9$>,
    Cen <> wrote:
    :I have a few ranges of public IP addresses.
    :Say, for example, 202.1.1.1 - 202.1.1.4, 203.1.1.1-203.1.1.4
    :A PIX is used as edge to the Internet. My questions are:
    :- how do I utilise the 2 IP addresses, since they're from different subnets.
    :If I assign the PIX outside interface as 202.1.1.1, only the 202.x.x.x range
    :will be used, leaving 203.x.x.x unused.

    You go ahead and assign static's or global statements that
    reference the additional IP address ranges, and you ensure that
    your WAN router routes the additional ranges to the PIX outside IP.

    The PIX will handle traffic -through- it for an indefinite number
    of different subnets. It will proxy-arp for the additional IPs too,
    if you don't have that turned off, and if you are not using
    nat 0 access-list . It is, though, better if you can do an explicit
    route to the device instead of relying on proxy-arp.

    Oh, and ensure you have a 'route' statement that points to your LAN
    router to handle the additional IP ranges. Or use a logical interface
    (802.1Q VLAN) on the inside.


    :- is it possible to have VPN terminated using multiple IP addresses?

    Only if you have multiple physical interfaces, in PIX 6.x.
    If I recall correctly, you cannot terminate a VPN on a "logical
    interface" (VLAN) in 6.x (it might be possible in 7.0.)

    :What if
    :i want users from the Internet to VPN into 202.1.1.1 and 202.1.1.3?

    The internal IP range that your users are attempting to reach does not have
    to have anything to do with the public IP range. You could number
    your internal ranges as 10.200/16 and your users would be able to
    reach your hosts, as long as their VPN client knows to send the
    encapsulated packets to your single public IP.

    I have two public class C's (one fragmented into several subnets) and
    several internal private /24's and an internal private /16, and my
    VPN users can get to all of the above that I permit access to, all
    with just a single public IP handling the VPN connections.
    --
    "[...] it's all part of one's right to be publicly stupid." -- Dave Smey
    Walter Roberson, Sep 2, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Ireland
    Replies:
    1
    Views:
    1,039
    Claude LeFort
    Nov 11, 2003
  2. Joe F
    Replies:
    2
    Views:
    529
    Joe F
    Jan 29, 2004
  3. GVB
    Replies:
    1
    Views:
    2,754
    Martin Bilgrav
    Feb 6, 2004
  4. Svenn
    Replies:
    3
    Views:
    706
    Svenn
    Mar 13, 2006
  5. M3ph
    Replies:
    0
    Views:
    543
Loading...

Share This Page