Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
472
Views
0
Helpful
5
Replies

Pix site to site VPN to non-primary IP address

Go to solution
bhoops
Level 1
Level 1

‎10-21-2008 06:26 PM - edited ‎03-11-2019 07:00 AM

I'm trying to set up a site to site PIX VPN to an IP address that isn't the exact IP address of the outside interface. I get the following error in the syslog and the VPN cannot connect:

Message=<163>Oct 21 2008 21:14:26: %PIX-3-106011: Deny inbound (No xlate) udp src outside:71.xxx.xxx.xxx/500 dst outside:99.xxx.xxx.xx5/500

I cannot figure out why the error lists both interfaces as Outside even though the PIX should be terminating the VPN.

TIA

-Brian

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to bhoops

‎10-22-2008 04:12 AM

It wont work because the crypto map is applied ON the outside interface. You MIGHT be able to pull this off with some port redirection but I've never done this.

Or terminate VPN on something at the back and do one to one nat pointing to .149 for that vpn endpoint. You can also just put the .149 n the outside interface.

REgards

Farrukh

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎10-21-2008 10:04 PM

What do you mean by "isn't the exact IP address"?

Are you trying to establish/terminate a VPN on 'another' interface on the PIX? while 'coming through' the 'outside' interface? If so..it won't work!

Regards

Farrukh

0 Helpful

Go to solution
bhoops
Level 1
Level 1
In response to Farrukh Haroon

‎10-22-2008 04:07 AM

We have five static IP addresses with statics to allow them to access specific servers.

Our IP address on the PIX is:

ip address outside 99.xxx.xxx.145 255.255.255.248

VPN is set up as:

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

With the clients setting the peer. If they use the IP address of the outside interface, 99.xxx.xxx.145 they can connect, but if they use 99.xxx.xxx.149 as has been requested they cannot connect, and we see the error in the syslog.

Thanks.

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to bhoops

‎10-22-2008 04:12 AM

It wont work because the crypto map is applied ON the outside interface. You MIGHT be able to pull this off with some port redirection but I've never done this.

Or terminate VPN on something at the back and do one to one nat pointing to .149 for that vpn endpoint. You can also just put the .149 n the outside interface.

REgards

Farrukh

0 Helpful

Go to solution
bhoops
Level 1
Level 1
In response to Farrukh Haroon

‎10-22-2008 04:36 AM

I'll probably just change the IP address of the outside interface then. Thanks!

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to bhoops

‎10-22-2008 04:57 AM

Ok thats great, please let me know how it goes.

Please rate if helpful.

Regards

Farrukh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card