Cisco Support Community
Community Member

Terminating IPsec tunnel to PIX multiple interfaces

Hi, sorry for my English ....

We are running a PIX based VPN network that is running fine. All the tunnel are terminated on the outside interface. At the main site we want now terminate some tunnel also to the DMZ interface that is connected to the Internet via a separated router/ISP. I configured the crypto, the static routing to the remote site etc but when ISAKMP start the negotiation the answers goes via the outside interface (ISAKMP say that local proxy is the outside interface...). If I unbind the crypto map from the outside interface the ISAKMP negotiation seems ok but no traffic can flow inside the tunnel.

So the question: is this setup possible, ie can I terminate multiple tunnel to multiple interface and manage the setup with a mix of crypto map, static route, etc ?

Thanks !

Community Member

Re: Terminating IPsec tunnel to PIX multiple interfaces

Check out this CCO page for an example of how this is done. The only difference here is that encryption is done on the outside and inside interfaces and Xauth Client authentication is being used.

Community Member

Re: Terminating IPsec tunnel to PIX multiple interfaces


I had a look at the example.

I don't use dynamic map on the outside but this cannot be a big problem. I have a default route to the outside and a static route via a gateway in the DMZ to the remote peer. And this is the big difference.

I think my problems are in some way related to how the routing table is evaluated during IPSec setup.

I did a test: if I remove the default route ISAKMP don't start negotiating even if the peer is directly connected (I cannot test this too much .. the PIX is a production machine ..).

I'm thinkig about reconfigure my PIX in order to switch outside<>dmz but I will need again a default route via the DMZ router. I don't know if this will lead me into the same problems !!

Many thanks for any help !

CreatePlease to create content