12-12-2007 01:57 PM - edited 02-21-2020 03:26 PM
Hello
I have a site2site tunnel running my headoffice and branchoffice. From my branchoffice will I tunnel everything over to headoffice. So when my user on branchoffice will go to internet it has to pass my headoffice pix515. Is this possibly? and how to I do?
\Fredry
12-12-2007 09:01 PM
Sure, you can do that. You just need to put the proper routes on the proper devices in the headoffice.
-brad
(please rate the post if this helps!)
12-13-2007 01:51 AM
Brad,
In this case, a 0.0.0.0 0.0.0.0 route to remote office gateway in local device for local users to go internet over remote gateway should be entered correct? If so how will local device connect the peer ip? something like following?
route outside remotepeerip 255.255.255.255 localISPgateway metric 1
route outside 0.0.0.0 0.0.0.0 remotegateway metric 2
12-13-2007 07:23 AM
No, that's not how I'd do it.
at the remote office:
route everything to next hop
ENCRYPT EVERYTHING through VPN tunnel
at the head office:
route AND ENCRYPT ALL TRAFFIC DESTINED for REMOTE OFFICE through VPN tunnel
STATIC NAT to translate head office IP subnets AND remote office IP subnet on HEAD OFFICE gateway to internet
DEFAULT route on HEAD OFFICE out to internet.
Does this make sense?
-brad
(please rate the post if this helps!)
12-14-2007 03:13 PM
sure, but i can't get the static nat to work.
can you give me a config exempel.
\Fredry
12-14-2007 03:14 PM
sure, but i can't get the static nat to work.
can you give me a config exempel.
\Fredry
12-14-2007 07:10 PM
I am going to show you how to do this. It is so easy
even you will be suprised by it.
LAN_A---RouterA----INTERNET----PixB---LAN_B
LAN_A = 192.168.103.0/24
LAN_B = 10.105.0.0/24
RouterA External IP = 1.1.1.1 (remote office)
PixB outside IP = 2.2.2.2 (HQ)
RouterA config:
access-list 101 permit ip 192.168.103.0 0.0.0.255 any
crypto isakmp key cisco add 2.2.2.2 no-xauth
crypto isakmp keep 10
crypto isakmp pol 1
auth pre
hash sha
encr aes 256
group 5
life 86400
crypto ipsec trans cisco esp-aes 256 esp-sha-hmac
crypto map cisco 10 ipsec-isakmp
set peer 2.2.2.2
set trans cisco
match address 101
set security life sec 3600
set pfs group5
interface F0/0
address 1.1.1.1 255.2552.255.240
crypto map cisco
PixB config:
isakmp identity address
isakmp enable outside
isakmp key cisco address 1.1.1.1 no-xauth
access-list nonat permit ip 10.105.0.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list VPN permit ip 192.168.103.0 255.255.255.0 any
access-list 101 permit ip 10.105.0.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list 101 permit ip any 192.168.103.0 255.255.255.0
nat (outside) 1 access-list VPN
global (outside) 1 interface
nat (inside) 1 0 0
nat (inside) 0 access-list nonat
same-security-traffic permit intra-interface
sysopt connection permit-ipsec
isakmp pol 1 auth pre
isakmp pol 1 encr aes-256
isakmp pol 1 hash sha
isakmp pol 1 group 5
isakmp pol 1 life 86400
crypto ipsec trans cisco esp-aes-256 esp-sha-hmac
crypto map cisco 10 ipsec-isakmp
crypto map cisco 10 set peer 1.1.1.1
crypto map cisco 10 set trans cisco
crypto map cisco 10 set group5
crypto map cisco 10 match address 101
crypto map cisco 10 set security life second 3600
crypto map cisco interface outside
now traffics from network 192.168.103.0/24 going to the Internet
will have to go over to the Pix firewall at the HQ side.
As I've said before, it is so easy even cavemen can do it
(Geico comercial) :-)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: