IPsec VPN coming from wrong IP due to BGP

[nosebreaker]

I have a regular IPsec VPN that I'm trying to go out to another location. A generic site to site VPN, we'll say one side is 10.0.1.0/24 and the other side is 10.0.2.0/24.

But, at side 10.0.1.0/24 it has 2 links to the internet, and a public /24 is routed there.

So I've got a router with 2 public internet interfaces, and the "internal" one goes to my pix. It uses 192.168.1.0/24 just between itself and the pix, and it has routed the public block (lets say the public block is 1.1.1.0/24 and lets say the remote site is 2.2.2.2) to itself via BGP.

So the problem is that the pix is trying to setup the vpn as 192.168.1.1<->2.2.2.2 and not 1.1.1.1<->2.2.2.2

I can statically map through any IP in 1.1.1.x/24 to any internal 10.0.1.x IP just fine, and NAT and everything else works fine.

How can I tell the pix to use one of the public IP's that have been routed to it as its outgoing IP for the VPN?

I've attached a screenshot diagram.

 

[Supergrrover]

Can you static IP/ports in the router to the pix?

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[baddos]

So you are doing NAT on your Internet router? I assume you are doing a static nat translation for your PIX, so just use that IP address as the ipsec peer.

 

[nosebreaker]

No NAT on the router. The BGP routed public /24 gets routed to the firewall and it uses that for its outgoing block. The firewall does static translations for some of the IP addresses though.

The router isn't using the IP's, they are sent via BGP down the line.

 

[Supergrrover]

Can you post a scrubbed config for the router and the pix?

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[nosebreaker]

I ended up doing a vpn from the router instead, but its being torn down today anyway. I'll see if I can close this thread.