Re: Dynamic Site to Site

In article <1127210864.442892.254790@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
<morgan.ian@xxxxxxxxx> wrote:
:But my pix in Plant C is going to have a private IP. Plant C will start
:the connection though.

Please quote appropriate context, to make it easier on those of us who
go through a lot of postings.


You indicated in your initial posting that Plant C has a dynamic IP
address from the ISP, and you indicate now that Plant C will have
a private IP address. When you talk about private IP addresses,
are you talking about the "inside" network, or are you saying that
the ISP is assigning a dynamic *private* IP to C's PIX?

It doesn't really matter either way. As long as you are not trying
to use traditional AH (Authentication Header), C's ISP can assign
any IP it wants to the PIX (as long as it doesn't overlap the internal
range!). When C's PIX initiates packets out to the public network,
the packets will travel through the ISP's internal infrastructure
to the ISP's gateway to the public network. At that point, if the ISP
did happen to assign one of the RFC1918 private IP ranges to the PIX,
the ISP will be responsible for performing NAT into a public IP, and
it will be that public IP that will appear on the packets that reach
your other hosts. When your hosts reply to that public IP, the replies
will reach the ISP's gateway, and the ISP would then be responsible
for any necessary NAT'ing to get into the IP address space that it had
handed to C's PIX, and the ISP will then deliver the packets through
its infrastructure in order to reach C's PIX.

If the ISP assigns a dynamic public IP to C's PIX, then the ISP
will not need to do any NAT, but that won't affect the flow of packets
in any significant way.

When you are using a crypto dynamic map at HQ to receive the IPSec
packets from C's PIX, the -only- point at which you care about C's
PIX IP address is in constructing an "isakmp key" shared key. For
that particular statement, you would like the IP range narrowed down
as much as feasible. PIX 6.x only allows you a single isakmp key
with IP 0.0.0.0 mask 0.0.0.0, so to be able to handle multiple dynamic
connections with different shared keys, you'd like to make the scope
of the key as specific as you can to avoid overlaps.
--
"No one has the right to destroy another person's belief by
demanding empirical evidence." -- Ann Landers
.

Relevant Pages

  • Re: PIX 506e NAT Question
    ... subnet over both sides of my router?" ... You have a pool of 30 usable IP addresses from your ISP. ... if your router is between this 30 IP address subnet and the ISP. ... interface of your PIX a bunch of IP addresses. ...
    (comp.dcom.sys.cisco)
  • Configuring a failover solution
    ... our different outside interfaces (router, pix, etc). ... The ISP for line B allocates us 8 ... ip addressess on the 12.14.16.x subnet which we can use for what we see ...
    (comp.dcom.sys.cisco)
  • Re: PIX 506e NAT Question
    ... subnet over both sides of my router?" ... You have a pool of 30 usable IP addresses from your ISP. ... if your router is between this 30 IP address subnet and the ISP. ... interface of your PIX a bunch of IP addresses. ...
    (comp.dcom.sys.cisco)
  • Re: Port 25 blocking ????
    ... Your reference to the other company said you tried to telnet -to- them ... arrangements on their end (or because of their ISP.) In the ... your PIX would not be involved unless ... get a hit on your ACL permit for an ACL applied "in interface inside" ...
    (comp.dcom.sys.cisco)
  • pix site to site problem with NAT
    ... I have had to change my ISP and now instead of a public ip on my ... pix i have a private address but i still need to have a site to site ... ipsec connection between two pix's. ... Im not sure how to forward the ipsec traffic to the pix and also how ...
    (comp.dcom.sys.cisco)