PIX VPN using external addresses

Discussion in 'Cisco' started by Nate, Sep 7, 2005.

  1. Nate

    Nate Guest

    We have a company that has a policy against using internal IPs in their
    IPSec tunnels. Can someone give me the basic PIX config differences
    for using the external IPs as opposed to the internals? All of our
    current tunnels use the internal IPs and several attempts at using the
    externals haven't gone very well.

    Thanks in advance.
     
    Nate, Sep 7, 2005
    #1
    1. Advertisements

  2. Nate

    Heart Key Guest

    you can use the NAT and global comands

    M.Ammoura
     
    Heart Key, Sep 7, 2005
    #2
    1. Advertisements

  3. :We have a company that has a policy against using internal IPs in their
    :IPSec tunnels. Can someone give me the basic PIX config differences
    :for using the external IPs as opposed to the internals? All of our
    :current tunnels use the internal IPs and several attempts at using the
    :externals haven't gone very well.

    It's not so bad, really.

    The first thing is to reconfigure your ACLs to match the traffic
    to the remote system, in the usual way, just as if it were not tunneled.
    You can skip this step if you are using sysopt connection permit-ipsec
    to bypass interface ACL checking for IPSec.

    Then put appropriate global and nat statements, or static statements.
    You might use "policy nat" or "policy static" if you want the
    translation to be distinct for the VPN.

    Then you ensure that the remote network is not matched by your
    nat 0 access-list ACL.

    Next is to configure the ACL for the crypto map match address clause so
    that the "source" address is the *post-translation* address -- the
    address the PIX will translate outgoing packets -into-.

    Set the "destination" address in that ACL to be the pre-translation
    remote IP -- the IP as would be in flight towards you before it hit
    your PIX's interface. This is, to be clear, almost always the same as
    the "just plain" remote IP, and the distinction between whether it is
    pre-translation or post-translation only matters if you are doing
    "reverse nat" [or in the odd situation where your VPN is connected to
    an interface with a -higher- security level than your inside
    interface.]

    If you don't know what "reverse nat" is, then what remember is that the
    crypto map match address ACL "destination" must be in terms of the
    external IP addresses of the remote system, not the internal addresses.
    [Normally it would use the internal addresses, but you're deliberately
    not using internal addresses ;-) .]


    Once the above is done, clear the ipsec sa's and you should be in
    business.

    There's a lot of flexibility in the order you do the steps; the
    order I chose above was selected to try to mimimize vulnerability
    windows, but if the vultures aren't waiting at the gate then
    the order almost doesn't matter.
     
    Walter Roberson, Sep 7, 2005
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.