Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
358
Views
0
Helpful
1
Replies

PIX NAT and IPsec

vcolla
Level 1
Level 1

‎04-01-2002 08:04 AM - edited ‎02-21-2020 11:39 AM

I have a PIX that has statically translated IPs for servers. For example, say the outside IP of a server is 172.1.1.1 and the inside is 10.1.1.1. I also have an IPSec tunnel with some vendors that can build a tunnel with my PIX for the 10.1.1.0 network.

Is there any way I can build a tunnel with them for 172.1.1.1 IPs? In other words, their requirement is to establish a tunnel for public IPs, which means that they want to have my PIX as a peer, but route anything going to 172.1.1.0 through the tunnel. Sort of like PIX would first strip down the tunnel and then translate the IP addresses.

Would that work? Or do I have to move the VPN functionality to a device in front of PIX?

Thank you,

Vladimir

Labels:
0 Helpful
1 Reply 1

cjacinto
Cisco Employee
Cisco Employee

‎04-06-2002 08:03 PM

You can create a tunnel based on the public ip address of your host, so the pix accepts the ipsec traffic and then decrypt it and then translates it back to the inside ip addr of the host. Make sure though that you exclude the PIX outside interface from your crypto acl if the host on the public side is within the same subnet as the PIX outside interface.

0 Helpful
Customers Also Viewed These Support Documents