0

I have two /28 subnets A & B.

My PIX and ASA's outside interface addresses are both in subnet A.

I am in the middle of a migration from the PIX to the ASA and need to use the PIX outside interface address on the ASA for the last two remaining lan to lan VPNs.

I am doing it like this because the vendors those VPNs connect to are huge IT Dinosaurs and will take them aaages to get their sh*t sorted... This means I need to move the IP address to my ASA so I can not bother having them change to a new Peer IP.

I've been trying to figure out how to set a specific IP address my VPN peer but I cannot figure out how..

I've even physically connected a second ethernet port and tried giving it a similar IP in the same range, to which it said its not possible to have two outside addresses with IP's in the same subnet.

moodah
  • 43
  • 1
  • 1
  • 5

1 Answers1

0

Seems you're in a bit of a pickle.

You can't set the IP address of the tunnel; it is derived from the interface. As you noticed, you can't create another physical interface on the same subnet as an existing interface.

I suppose you already have folks pointing to the ASA IP address, so you can't simply flash-cut over to the PIX IP address?

If you just need to get the PIX decommissioned, depending on your version of ASA code (9.0 or greater) and hardware (PIX 5510/20 or greater) you could spin up another context and put the PIX IP address there. This doesn't solve the logical problem of having two different things to administer and terminate tunnels, but does get you off of the old hardware.

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_contexts.html#wp1035807

Maybe the IT dinosaurs have a few things right? ;)

Jason Seemann
  • 1,120
  • 6
  • 9
  • The problem is I've shifted the rest of the vpns already to the new device but both firewalls have external IP's in the same subnet!! /cry Thanks anyway though. Great help. – moodah Jun 12 '13 at 01:13