How to send Internet traffic to VPN tunnel endpoint & not outside interface

Unanswered Question
Jun 26th, 2007
User Badges:

Two endpoints, a PIX 501 and a PIX 515, connected with IPSEC tunnel. PIX 501 uses dhcp to get its IP add and route info. Therefore, all internet traffic goes out the outside interface. I want to send internet traffic to tunnel endpoint where 505 is so that our application layer firewall can apply policies. How do I accomplish this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
acomiskey Tue, 06/26/2007 - 07:29
User Badges:
  • Green, 3000 points or more

Specify your interesting traffic and nat exemption acl's as being to any in the 501, then all traffic will pass over the tunnel.


Also, you said 505, did you mean 515?


Please rate helpful posts.

murray-davis Tue, 06/26/2007 - 07:40
User Badges:

Yes, I meant 515. Here is my acl:

access-list NONAT permit ip 192.168.7.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list NONAT permit ip 192.168.7.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list EDM permit ip 192.168.7.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list EDM permit ip 192.168.7.0 255.255.255.0 10.1.0.0 255.255.0.0


So, if I understand you correctly, I need to add the following to my acls at the 501 end and do the same at the 515 end for the corresponding EDM acl for the tunnel:

access-list NONAT permit ip any any

access-list EDM permit ip any any


Is this correct?


Thank you for your response.

acomiskey Tue, 06/26/2007 - 07:49
User Badges:
  • Green, 3000 points or more

Not exactly, if you add those lines to the 515, then all traffic from 515 will go over the tunnel as well, which you don't want right?


I would make it like this...


501

access-list NONAT permit ip 192.168.7.0 255.255.255.0 any

access-list EDM permit ip 192.168.7.0 255.255.255.0 any


515

access-list NONAT permit ip any 192.168.7.0 255.255.255.0

access-list EDM permit ip any 192.168.7.0 255.255.255.0


This way, all traffic from the 501 will cross the tunnel, but only traffic for 192.168.7. will cross the tunnel from the 515.

murray-davis Tue, 06/26/2007 - 11:31
User Badges:

Sorry, for the delay, fires to put out... I hope to return to this issue later today. I will test and definitely let you know.


Regards,

murray-davis Wed, 06/27/2007 - 13:29
User Badges:

Tried today. The tunnel came up, but Internet did not work. Here are the commands/changes that I made, with public IP info x/y'd out.

501 config

no access-list NONAT

access-list NONAT permit ip 192.168.7.0 255.255.255.0 any

nat (inside) 0 access-list NONAT


no crypto map newmap 10

no access-list EDM

access-list EDM permit ip 192.168.7.0 255.255.255.0 any

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address EDM

crypto map newmap 10 set peer x.x.x.x

crypto map newmap 10 set transform-set ESP-3DES-SHA

crypto map newmap interface outside


505 config

no crypto map outside_map 10

no access-list FTMAC

access-list FTMAC permit ip any 192.168.7.0 255.255.255.0

crypto map outside_map 10 ipsec-isakmp

crypto map outside_map 10 match address FTMAC

crypto map outside_map 10 set peer y.y.y.y

crypto map outside_map 10 set transform-set ESP-3DES-SHA


The NAT info at the 505 end is set up for numerous sites, not just the FTMAC site. I did not change those rules.

access-list NONAT permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list NONAT permit ip 10.1.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list NONAT permit ip 10.1.0.0 255.255.0.0 10.10.0.0 255.255.0.0



Hello,


This is going to depend on if the 515 is the firewall in which you route all your internet traffic.


Its not going to be be possible with a version 6 pix software. Version 7 lets you re-route traffic back out the interface you came in on.


Unless u can force users to a a proxy on an internal network on the 515, its not going work.



acomiskey Thu, 06/28/2007 - 05:03
User Badges:
  • Green, 3000 points or more

murray, sorry about that, I thought you had that part worked out. As the previous poster said, you will need you 515 to be version 7 for this to work unless you have some proxy on the inside. Here is the document for public internet on a stick.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

murray-davis Thu, 06/28/2007 - 06:17
User Badges:

Thank you, Acomiskey for the link. Yes, unfortunately we are at v6.3. We have delayed upgrading because we use pptp vpn tunneling and are in the process of evaluating the ASA5500 series. Thanks, for your help.

Actions

This Discussion