Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Multiple IP address on PIX 515 - 1 for VPN traffic and 1 for interenet 1

Status
Not open for further replies.
slyride

slyride

MIS
Feb 6, 2003
50
CO
Hello,
I am seeking to configure my PIX 515 so that vpn users can connect to a different public IP address than the public IP address that is used for internet traffic. Currently I have 2 FE interfaces, one is the outside and the other the inside. I suspect that I will need one more on the inside so that I can have internet traffic routed through one and VPN traffic through the other. So how far off am I? :) Let me add that I currently have the VPN set up to connect to the same IP that is the public IP for outbound internet, there is no incoming except the VPN traffic.
 
Sort by date Sort by votes
Not really understanding completely here, you don't need another public address to terminate vpns on, actually you can't the address on the outside interface is the one you terminate vpn sessions on both client and lan-to-lan sessions.

The pix is perfectly equipped to handle both internet traffic and vpn on the same ip address.

Jan


Network Systems Engineer
CCNA/CQS/CCSP/Infosec
 
Upvote 0 Downvote
Hello Jan,
Thanks for responding. The concern I was trying to address is that if someone browses to a questonable site and that site takes down the ip address that the connection came from, would that make the vpn connections less secure as they connect to that same IP address? Or am I underestimating the PIX and that scenario should not pose a problem?
Thanks
Leon
 
Upvote 0 Downvote
Hmm, if by take down you mean DDOS attack then no, cause your inet connection will be flooded, and it does not matter what address is attacked your bandwidth will be consumed by the attack anyways.

Jan


Network Systems Engineer
CCNA/CQS/CCSP/Infosec
 
Upvote 0 Downvote
Thanks again, excellent point, what about port scans and/or sniffing?
 
Upvote 0 Downvote
Well, you can't really flood a port as such, since the packet for ipsec tunnels has to be a valid SPI and as such belong to an authenticated tunnel to be processed further. But if you are concerned, just use another address in your "global (outside) 1 x.x.x.x" statement than the one your pix's outside interface has.

Jan


Network Systems Engineer
CCNA/CQS/CCSP/Infosec
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
806
Johnkite
Johnkite
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
680
XLNTech1
XLNTech1
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
995
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
281
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top