Terminating IPsec tunnel to PIX multiple interfaces
Hi, sorry for my English ....
We are running a PIX based VPN network that is running fine. All the tunnel are terminated on the outside interface. At the main site we want now terminate some tunnel also to the DMZ interface that is connected to the Internet via a separated router/ISP. I configured the crypto, the static routing to the remote site etc but when ISAKMP start the negotiation the answers goes via the outside interface (ISAKMP say that local proxy is the outside interface...). If I unbind the crypto map from the outside interface the ISAKMP negotiation seems ok but no traffic can flow inside the tunnel.
So the question: is this setup possible, ie can I terminate multiple tunnel to multiple interface and manage the setup with a mix of crypto map, static route, etc ?
Re: Terminating IPsec tunnel to PIX multiple interfaces
I had a look at the example.
I don't use dynamic map on the outside but this cannot be a big problem. I have a default route to the outside and a static route via a gateway in the DMZ to the remote peer. And this is the big difference.
I think my problems are in some way related to how the routing table is evaluated during IPSec setup.
I did a test: if I remove the default route ISAKMP don't start negotiating even if the peer is directly connected (I cannot test this too much .. the PIX is a production machine ..).
I'm thinkig about reconfigure my PIX in order to switch outside<>dmz but I will need again a default route via the DMZ router. I don't know if this will lead me into the same problems !!
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...