Sign in with
Sign up | Sign in
Your question

PIX VPN using the external addresses

Last response: in Networking
Share
Anonymous
September 6, 2005 9:34:52 PM

Archived from groups: comp.dcom.vpn (More info?)

We have a company that has a policy against using internal IPs in their
IPSec tunnels. Can someone give me the basic PIX config differences
for using the external IPs as opposed to the internals? All of our
current tunnels use the internal IPs and several attempts at using the
externals haven't gone very well.

Thanks in advance.
Anonymous
September 7, 2005 12:43:15 PM

Archived from groups: comp.dcom.vpn,comp.dcom.sys.cisco (More info?)

Nate wrote:

> We have a company that has a policy against using internal IPs in their
> IPSec tunnels. Can someone give me the basic PIX config differences

This does not make sense !! Do they have clues in IT ? Doing something
like that is loosing accounting... if loosing accounting is in their
corporate policy, oooh my God!

> for using the external IPs as opposed to the internals? All of our
> current tunnels use the internal IPs and several attempts at using the
> externals haven't gone very well.

> Thanks in advance.

2 or 3 weeks ago, somebody has asked if it is possible to nat an inside
network before getting this nated IP in a VPN. Pretty much, using google
searching for that, you'd get ideas on how to do an ugly thing alike.

Hey, do not tell me thank you, hum? The day the first site will be
flooding the other site with worm(s), you'll be very happy to
investigate who has been infected first.

/Edgar

X-Post
Anonymous
September 7, 2005 6:32:47 PM

Archived from groups: comp.dcom.vpn,comp.dcom.sys.cisco (More info?)

In article <dfm25v$eh2$1@news.brutele.be>,
=?ISO-8859-1?Q?Edgar=AE_du_Luxembourg=AE?= <edgar@no_troll.sncb.be> wrote:
:Nate wrote:

:> We have a company that has a policy against using internal IPs in their
:> IPSec tunnels. Can someone give me the basic PIX config differences

:This does not make sense !! Do they have clues in IT ? Doing something
:like that is loosing accounting... if loosing accounting is in their
:corporate policy, oooh my God!

It is no worse than using DHCP, which most companies use these days.
And the information about which internal host IP it was can easily
be pulled from the logs -- the internal host IP and port is shown
in every Build, Teardown, and Deny message.
--
This signature intentionally left... Oh, darn!
!