Pix site to site VPN to non-primary IP address

Answered Question
Oct 21st, 2008
User Badges:

I'm trying to set up a site to site PIX VPN to an IP address that isn't the exact IP address of the outside interface. I get the following error in the syslog and the VPN cannot connect:


Message=<163>Oct 21 2008 21:14:26: %PIX-3-106011: Deny inbound (No xlate) udp src outside:71.xxx.xxx.xxx/500 dst outside:99.xxx.xxx.xx5/500


I cannot figure out why the error lists both interfaces as Outside even though the PIX should be terminating the VPN.


TIA

-Brian

Correct Answer by Farrukh Haroon about 8 years 8 months ago

It wont work because the crypto map is applied ON the outside interface. You MIGHT be able to pull this off with some port redirection but I've never done this.


Or terminate VPN on something at the back and do one to one nat pointing to .149 for that vpn endpoint. You can also just put the .149 n the outside interface.


REgards


Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Farrukh Haroon Tue, 10/21/2008 - 22:04
User Badges:
  • Red, 2250 points or more

What do you mean by "isn't the exact IP address"?


Are you trying to establish/terminate a VPN on 'another' interface on the PIX? while 'coming through' the 'outside' interface? If so..it won't work!


Regards


Farrukh

bhoops Wed, 10/22/2008 - 04:07
User Badges:

We have five static IP addresses with statics to allow them to access specific servers.


Our IP address on the PIX is:

ip address outside 99.xxx.xxx.145 255.255.255.248


VPN is set up as:

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0


With the clients setting the peer. If they use the IP address of the outside interface, 99.xxx.xxx.145 they can connect, but if they use 99.xxx.xxx.149 as has been requested they cannot connect, and we see the error in the syslog.


Thanks.

Correct Answer
Farrukh Haroon Wed, 10/22/2008 - 04:12
User Badges:
  • Red, 2250 points or more

It wont work because the crypto map is applied ON the outside interface. You MIGHT be able to pull this off with some port redirection but I've never done this.


Or terminate VPN on something at the back and do one to one nat pointing to .149 for that vpn endpoint. You can also just put the .149 n the outside interface.


REgards


Farrukh

bhoops Wed, 10/22/2008 - 04:36
User Badges:

I'll probably just change the IP address of the outside interface then. Thanks!

Farrukh Haroon Wed, 10/22/2008 - 04:57
User Badges:
  • Red, 2250 points or more

Ok thats great, please let me know how it goes.


Please rate if helpful.


Regards


Farrukh

Actions

This Discussion