|
Posted by Cen on September 2, 2005, 8:32 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hi,
I have a few ranges of public IP addresses.
Say, for example, 202.1.1.1 - 202.1.1.4, 203.1.1.1-203.1.1.4
A PIX is used as edge to the Internet. My questions are:
- how do I utilise the 2 IP addresses, since they're from different subnets.
If I assign the PIX outside interface as 202.1.1.1, only the 202.x.x.x range
will be used, leaving 203.x.x.x unused.
- is it possible to have VPN terminated using multiple IP addresses? What if
i want users from the Internet to VPN into 202.1.1.1 and 202.1.1.3?
TIA.
|
|
Posted by Walter Roberson on September 1, 2005, 11:53 pm
If you were Registered and logged in, you could reply and use other advanced thread options
:I have a few ranges of public IP addresses.
:Say, for example, 202.1.1.1 - 202.1.1.4, 203.1.1.1-203.1.1.4
:A PIX is used as edge to the Internet. My questions are:
:- how do I utilise the 2 IP addresses, since they're from different subnets.
:If I assign the PIX outside interface as 202.1.1.1, only the 202.x.x.x range
:will be used, leaving 203.x.x.x unused.
You go ahead and assign static's or global statements that
reference the additional IP address ranges, and you ensure that
your WAN router routes the additional ranges to the PIX outside IP.
The PIX will handle traffic -through- it for an indefinite number
of different subnets. It will proxy-arp for the additional IPs too,
if you don't have that turned off, and if you are not using
nat 0 access-list . It is, though, better if you can do an explicit
route to the device instead of relying on proxy-arp.
Oh, and ensure you have a 'route' statement that points to your LAN
router to handle the additional IP ranges. Or use a logical interface
(802.1Q VLAN) on the inside.
:- is it possible to have VPN terminated using multiple IP addresses?
Only if you have multiple physical interfaces, in PIX 6.x.
If I recall correctly, you cannot terminate a VPN on a "logical
interface" (VLAN) in 6.x (it might be possible in 7.0.)
:What if
:i want users from the Internet to VPN into 202.1.1.1 and 202.1.1.3?
The internal IP range that your users are attempting to reach does not have
to have anything to do with the public IP range. You could number
your internal ranges as 10.200/16 and your users would be able to
reach your hosts, as long as their VPN client knows to send the
encapsulated packets to your single public IP.
I have two public class C's (one fragmented into several subnets) and
several internal private /24's and an internal private /16, and my
VPN users can get to all of the above that I permit access to, all
with just a single public IP handling the VPN connections.
--
"[...] it's all part of one's right to be publicly stupid." -- Dave Smey
|
| Similar Threads | Posted | | VPN termination IP address | January 8, 2006, 1:24 pm |
| VPN termination on routers. | January 31, 2006, 4:58 am |
| Cisco PIX VPN Passthrough and Termination | November 21, 2006, 3:11 pm |
| SSL/TCP Connection termination results in RST | June 5, 2008, 3:06 pm |
| termination reason 412 with cisco vpn client | October 22, 2008, 2:50 am |
| ASA 5520 with multiple inside/outside VLANs for VPN termination | December 19, 2007, 12:55 pm |
| feature set required for VPN termination on a cisco 2500 router | September 18, 2005, 6:43 am |
| 2600 NM-16A SSH Terminal Server: Termination & Break Sends | September 16, 2006, 1:07 am |
| 11503 Content Switch and SSL Termination - Cookie Handling | October 11, 2006, 10:34 am |
| 11503 Content Switch and SSL Termination - Cookie Handling | October 11, 2006, 10:34 am |
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map