Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix site to site VPN to non-primary IP address

I'm trying to set up a site to site PIX VPN to an IP address that isn't the exact IP address of the outside interface. I get the following error in the syslog and the VPN cannot connect:

Message=<163>Oct 21 2008 21:14:26: %PIX-3-106011: Deny inbound (No xlate) udp src outside:71.xxx.xxx.xxx/500 dst outside:99.xxx.xxx.xx5/500

I cannot figure out why the error lists both interfaces as Outside even though the PIX should be terminating the VPN.

TIA

-Brian

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Pix site to site VPN to non-primary IP address

It wont work because the crypto map is applied ON the outside interface. You MIGHT be able to pull this off with some port redirection but I've never done this.

Or terminate VPN on something at the back and do one to one nat pointing to .149 for that vpn endpoint. You can also just put the .149 n the outside interface.

REgards

Farrukh

5 REPLIES

Re: Pix site to site VPN to non-primary IP address

What do you mean by "isn't the exact IP address"?

Are you trying to establish/terminate a VPN on 'another' interface on the PIX? while 'coming through' the 'outside' interface? If so..it won't work!

Regards

Farrukh

New Member

Re: Pix site to site VPN to non-primary IP address

We have five static IP addresses with statics to allow them to access specific servers.

Our IP address on the PIX is:

ip address outside 99.xxx.xxx.145 255.255.255.248

VPN is set up as:

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

With the clients setting the peer. If they use the IP address of the outside interface, 99.xxx.xxx.145 they can connect, but if they use 99.xxx.xxx.149 as has been requested they cannot connect, and we see the error in the syslog.

Thanks.

Re: Pix site to site VPN to non-primary IP address

It wont work because the crypto map is applied ON the outside interface. You MIGHT be able to pull this off with some port redirection but I've never done this.

Or terminate VPN on something at the back and do one to one nat pointing to .149 for that vpn endpoint. You can also just put the .149 n the outside interface.

REgards

Farrukh

New Member

Re: Pix site to site VPN to non-primary IP address

I'll probably just change the IP address of the outside interface then. Thanks!

Re: Pix site to site VPN to non-primary IP address

Ok thats great, please let me know how it goes.

Please rate if helpful.

Regards

Farrukh

128
Views
0
Helpful
5
Replies
CreatePlease login to create content