Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IPSEC Tunnel not using interface IP

I have a Pix 525 with 7.2(2). I have the outside interface to a GSR using private IP's. I want external people to be able to establish an IPSEC Tunnel to this pix using a public IP. The GSR routes the public IP to the Pix. How can I assign the public IP to the outside interface so that it will establish the IPSEC Tunnels?

Thanks

LK

6 REPLIES
Cisco Employee

Re: IPSEC Tunnel not using interface IP

Hi,

If the GSR is doing static NAT for the Outside interface ip address to a public ip, then yu are all set. Just configure the PIX the way it should be, and the VPN will work.

You dont have to do anything else.

-Kanishka

Cisco Employee

Re: IPSEC Tunnel not using interface IP

Hi LK,

A couple of things that you need to take care of :

1. GSR is doing a static NAT for the outside IP of the PIX to a public IP.

2. GSR is not blocking any protocols/ports used for VPN. E.g. for IPSEC VPN, you need to make sure that UDP 500, UDP 4500 and ESP are open. Please also make sure that NAT-T is enabled on the PIX.

HTH,

Please rate if it helps,

Regards,

Kamal

New Member

Re: IPSEC Tunnel not using interface IP

The GSR is not doing any NAT.

The GSR is blocking nothing.

The Pix has a public IP that is directly connected to the GSR. This is the Gig-e link between them. The GSR has a static route to another public IP that points to the Pix. What I want to do is configure the Pix so that external people can make an IPSEC connection to the second public IP. Not the interface IP. Is that possible?

Thanks

LK

Cisco Employee

Re: IPSEC Tunnel not using interface IP

Hi,

The VPN tunnel can terminate only on one of the interfaces of the PIX.

The ip address for VPN tunnel has to be assigned to some interface.

Hope this helps.

-Kanishka

New Member

Re: IPSEC Tunnel not using interface IP

That's what I was afraid of. Thanks a lot for the help.

Cisco Employee

Re: IPSEC Tunnel not using interface IP

Hi LK,

No this is not possible. You need to connect to the interface IP.

Regards,

Kamal

98
Views
0
Helpful
6
Replies
CreatePlease to create content