Internet traffic in Vpn

Unanswered Question
Mar 7th, 2007


I want have only one gateway for internet for two my network connect on Vpn which are deployed behind two Pix 501.

Have to I only modified my access-list so ?

access-list nonat permit ip any Intranet

access-list nonat permit ip any host ISAPeer5

nat (inside) 0 access-list nonat

where Intranet is private address of my remote network and ISAPeer5 is public address of outside interface remote Pix

best regards


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Kamal Malhotra Wed, 03/07/2007 - 02:10

Hi Lorenzo,

I'm not sure if I understood your requirement correctly so please confirm if what I understood is correct or not.

We want that all the traffic originating from behind the remote PIX 501 should go through the tunnel. If that is the requirement then whether this can be done or not would depend on the device we are establishing the tunnel with. What does the PIX 501 establish VPN with? If it is a PIX and running 6.x then it is possible only in one condition : we MUST have a proxy server behind the central site that can do proxy for the remote networks. If it is a router, concentrator, ASA or PIX v7 then it is a different implementation on all the devices.

But one thing is for sure if you have a router, concentrator, ASA or PIX v7 then the crypto ACL on the remote PIX should be something like :

access-list vpn permit ip any

and on the central device it should be the reflection.


Please rate if it helps.



lformelli Wed, 03/07/2007 - 02:31

Hi Kamal,

On main site now I have an a ISA Server Microsoft configured for firewall but not like proxy.

In the future I think to install an ASA or Pix on central site also.

Can you advice some document/configuration about it ?

best regards


kaachary Wed, 03/07/2007 - 02:32

Hi Lorenzo,

If the Internet Gateway for both the PIX 501 is the remote PIX FW, then the no nat ACL would be something like this :

access-list nonat permit ip any any

nat (inside) 0 access-list nonat

This way all the traffic from the PIX 501 LAN subnets will not be natted and will be sent through the tunnel to the remote PIX and then to Internet.

*Please rate if helped.



This Discussion