I have a general question regarding IP Sec capabilities. Currently I am using a Cisco 1710 with FW features to implement a couple of IPSec tunnels to remote sites.
Followed is a part of this configuration:
crypto map test local-address Loopback0
crypto map test 1 ipsec-manual
set peer 10.145.100.1
set session-key inbound esp 1050 authenticator 0123456789ABCDEF0123456789ABCDEF
set session-key outbound esp 1051 authenticator 0123456789ABCDEF0123456789ABCDEF
set transform-set testTRANS
match address 100
Now suppose I want to replase with a PIX firewall and want to keep existing configuration. What I forget to mention is that the 1710 router belongs to my internal LAN has private addresses on both interfaces and can only be accressed for IPSEC through public loopback address. Can PIX do the same? Can I assign a loopback address (public) to it and use it for IPSec?
From my experience up to know with PIX I know that such approach is not feasible and I would need to apply public IP addesses to the external interface of the PIX (and my Router Gateway as well!!!..meaning redesign)
Please let me know. I know other firewalls support such approach.
Nope, you can't assign a loopback address to the PIX. You'd have to assign the loopback IP address to the outside of the PIX and terminate the tunnel on that. The PIX does support manual IPSec keying so you'll be able to still use that (although IKE is much more secure).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...