Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

VPN assistance - tricky? pix only has private IPs

I have a situation where I need to set up my pix to handle vpn.

currently the pix only has private IPs assigned to it's interfaces. it passes a class C public though it.

example

Router Outside:4.4.4.1

Router Inside: 10.1.1.1

firewall outside 10.1.1.2

firewall inside: 10.1.2.1

Public class C: 5.5.5.0 /24

we generally nat each service to a port on a machine on the inside network so we have had no reason to have direct access to the firewall from outside (no ssh etc)

How do I set up my pix to take one of the 5.5.5.x addresses and use it to allow vpn?

(Ive set up vpn plenty, but always had a public IP on the outside interface)

thank you!

2 REPLIES
Green

Re: VPN assistance - tricky? pix only has private IPs

Do the translation in your outside router from 5.5.5.x to 10.1.1.2.

Community Member

Re: VPN assistance - tricky? pix only has private IPs

did it.

now I get this message:

crypto_isakmp_process_block:src:5.5.5.5, dest:10.0.32.10 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 28800

ISAKMP: life type in kilobytes

ISAKMP: life duration (VPI) of 0xff 0xff 0xff 0xff

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:5.5.5.5, dest:10.0.32.10 spt:500 dpt:500

VPN Peer:ISAKMP: Peer Info for 5.5.5.5/500 not found - peers:0

ISAKMP: larval sa found

crypto_isakmp_process_block:src:5.5.5.5, dest:10.0.32.10 spt:500 dpt:500

VPN Peer:ISAKMP: Peer Info for 5.5.5.5/500 not found - peers:0

ISAKMP: larval sa found

ISAKMP (0): retransmitting phase 1 (0)...

ISAKMP (0): retransmitting phase 1 (1)...

crypto_isakmp_process_block:src:5.5.5.5, dest:10.0.32.10 spt:500 dpt:500

VPN Peer:ISAKMP: Peer Info for 5.5.5.5/500 not found - peers:0

ISAKMP: larval sa found

ISAKMP (0): deleting SA: src 5.5.5.5, dst 10.0.32.10

ISADB: reaper checking SA 0x3b72824, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 5.5.5.5/500 not found - peers:0

Any ideas?

134
Views
0
Helpful
2
Replies
CreatePlease to create content