06-26-2007 07:20 AM - edited 02-21-2020 01:34 AM
Two endpoints, a PIX 501 and a PIX 515, connected with IPSEC tunnel. PIX 501 uses dhcp to get its IP add and route info. Therefore, all internet traffic goes out the outside interface. I want to send internet traffic to tunnel endpoint where 505 is so that our application layer firewall can apply policies. How do I accomplish this?
06-26-2007 07:29 AM
Specify your interesting traffic and nat exemption acl's as being to any in the 501, then all traffic will pass over the tunnel.
Also, you said 505, did you mean 515?
Please rate helpful posts.
06-26-2007 07:40 AM
Yes, I meant 515. Here is my acl:
access-list NONAT permit ip 192.168.7.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list NONAT permit ip 192.168.7.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list EDM permit ip 192.168.7.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list EDM permit ip 192.168.7.0 255.255.255.0 10.1.0.0 255.255.0.0
So, if I understand you correctly, I need to add the following to my acls at the 501 end and do the same at the 515 end for the corresponding EDM acl for the tunnel:
access-list NONAT permit ip any any
access-list EDM permit ip any any
Is this correct?
Thank you for your response.
06-26-2007 07:49 AM
Not exactly, if you add those lines to the 515, then all traffic from 515 will go over the tunnel as well, which you don't want right?
I would make it like this...
501
access-list NONAT permit ip 192.168.7.0 255.255.255.0 any
access-list EDM permit ip 192.168.7.0 255.255.255.0 any
515
access-list NONAT permit ip any 192.168.7.0 255.255.255.0
access-list EDM permit ip any 192.168.7.0 255.255.255.0
This way, all traffic from the 501 will cross the tunnel, but only traffic for 192.168.7. will cross the tunnel from the 515.
06-26-2007 11:22 AM
Did that help?
06-26-2007 11:31 AM
Sorry, for the delay, fires to put out... I hope to return to this issue later today. I will test and definitely let you know.
Regards,
06-27-2007 01:29 PM
Tried today. The tunnel came up, but Internet did not work. Here are the commands/changes that I made, with public IP info x/y'd out.
501 config
no access-list NONAT
access-list NONAT permit ip 192.168.7.0 255.255.255.0 any
nat (inside) 0 access-list NONAT
no crypto map newmap 10
no access-list EDM
access-list EDM permit ip 192.168.7.0 255.255.255.0 any
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address EDM
crypto map newmap 10 set peer x.x.x.x
crypto map newmap 10 set transform-set ESP-3DES-SHA
crypto map newmap interface outside
505 config
no crypto map outside_map 10
no access-list FTMAC
access-list FTMAC permit ip any 192.168.7.0 255.255.255.0
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address FTMAC
crypto map outside_map 10 set peer y.y.y.y
crypto map outside_map 10 set transform-set ESP-3DES-SHA
The NAT info at the 505 end is set up for numerous sites, not just the FTMAC site. I did not change those rules.
access-list NONAT permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list NONAT permit ip 10.1.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list NONAT permit ip 10.1.0.0 255.255.0.0 10.10.0.0 255.255.0.0
06-27-2007 05:37 PM
Hello,
This is going to depend on if the 515 is the firewall in which you route all your internet traffic.
Its not going to be be possible with a version 6 pix software. Version 7 lets you re-route traffic back out the interface you came in on.
Unless u can force users to a a proxy on an internal network on the 515, its not going work.
06-28-2007 05:03 AM
murray, sorry about that, I thought you had that part worked out. As the previous poster said, you will need you 515 to be version 7 for this to work unless you have some proxy on the inside. Here is the document for public internet on a stick.
06-28-2007 06:17 AM
Thank you, Acomiskey for the link. Yes, unfortunately we are at v6.3. We have delayed upgrading because we use pptp vpn tunneling and are in the process of evaluating the ASA5500 series. Thanks, for your help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: