How to send Internet traffic to VPN tunnel endpoint & not outside interface

Unanswered Question
Jun 26th, 2007

Two endpoints, a PIX 501 and a PIX 515, connected with IPSEC tunnel. PIX 501 uses dhcp to get its IP add and route info. Therefore, all internet traffic goes out the outside interface. I want to send internet traffic to tunnel endpoint where 505 is so that our application layer firewall can apply policies. How do I accomplish this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
acomiskey Tue, 06/26/2007 - 07:29

Specify your interesting traffic and nat exemption acl's as being to any in the 501, then all traffic will pass over the tunnel.

Also, you said 505, did you mean 515?

Please rate helpful posts.

murray-davis Tue, 06/26/2007 - 07:40

Yes, I meant 515. Here is my acl:

access-list NONAT permit ip 192.168.7.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list NONAT permit ip 192.168.7.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list EDM permit ip 192.168.7.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list EDM permit ip 192.168.7.0 255.255.255.0 10.1.0.0 255.255.0.0

So, if I understand you correctly, I need to add the following to my acls at the 501 end and do the same at the 515 end for the corresponding EDM acl for the tunnel:

access-list NONAT permit ip any any

access-list EDM permit ip any any

Is this correct?

Thank you for your response.

acomiskey Tue, 06/26/2007 - 07:49

Not exactly, if you add those lines to the 515, then all traffic from 515 will go over the tunnel as well, which you don't want right?

I would make it like this...

501

access-list NONAT permit ip 192.168.7.0 255.255.255.0 any

access-list EDM permit ip 192.168.7.0 255.255.255.0 any

515

access-list NONAT permit ip any 192.168.7.0 255.255.255.0

access-list EDM permit ip any 192.168.7.0 255.255.255.0

This way, all traffic from the 501 will cross the tunnel, but only traffic for 192.168.7. will cross the tunnel from the 515.

murray-davis Tue, 06/26/2007 - 11:31

Sorry, for the delay, fires to put out... I hope to return to this issue later today. I will test and definitely let you know.

Regards,

murray-davis Wed, 06/27/2007 - 13:29

Tried today. The tunnel came up, but Internet did not work. Here are the commands/changes that I made, with public IP info x/y'd out.

501 config

no access-list NONAT

access-list NONAT permit ip 192.168.7.0 255.255.255.0 any

nat (inside) 0 access-list NONAT

no crypto map newmap 10

no access-list EDM

access-list EDM permit ip 192.168.7.0 255.255.255.0 any

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address EDM

crypto map newmap 10 set peer x.x.x.x

crypto map newmap 10 set transform-set ESP-3DES-SHA

crypto map newmap interface outside

505 config

no crypto map outside_map 10

no access-list FTMAC

access-list FTMAC permit ip any 192.168.7.0 255.255.255.0

crypto map outside_map 10 ipsec-isakmp

crypto map outside_map 10 match address FTMAC

crypto map outside_map 10 set peer y.y.y.y

crypto map outside_map 10 set transform-set ESP-3DES-SHA

The NAT info at the 505 end is set up for numerous sites, not just the FTMAC site. I did not change those rules.

access-list NONAT permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list NONAT permit ip 10.1.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list NONAT permit ip 10.1.0.0 255.255.0.0 10.10.0.0 255.255.0.0

Hello,

This is going to depend on if the 515 is the firewall in which you route all your internet traffic.

Its not going to be be possible with a version 6 pix software. Version 7 lets you re-route traffic back out the interface you came in on.

Unless u can force users to a a proxy on an internal network on the 515, its not going work.

murray-davis Thu, 06/28/2007 - 06:17

Thank you, Acomiskey for the link. Yes, unfortunately we are at v6.3. We have delayed upgrading because we use pptp vpn tunneling and are in the process of evaluating the ASA5500 series. Thanks, for your help.

Actions

This Discussion