Jon Marshall Mon, 01/14/2008 - 12:48
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Eric


It's not clear from your description what you want to do. Could you expand on your requirements.


Traffic going down the VPN tunnel is defined by the crypto map access-lists.


Jon

eric.loiseau Mon, 01/14/2008 - 13:27
User Badges:

I want that my internet traffic from local site A and remote site B (from vpn tunnel ) go from my outside interface of site A .



I want only an outside site for internet traffic.


Regards




cisco24x7 Mon, 01/14/2008 - 14:16
User Badges:
  • Silver, 250 points or more

I am going to show you how to do this. It is so easy

even you will be suprised by it.


LAN_A---RouterA----INTERNET----PixB---LAN_B


LAN_A = 192.168.103.0/24

LAN_B = 10.105.0.0/24

RouterA External IP = 1.1.1.1 (remote office)

PixB outside IP = 2.2.2.2 (HQ)


RouterA config:


access-list 101 permit ip 192.168.103.0 0.0.0.255 any

crypto isakmp key cisco add 2.2.2.2 no-xauth

crypto isakmp keep 10

crypto isakmp pol 1

auth pre

hash sha

encr aes 256

group 5

life 86400

crypto ipsec trans cisco esp-aes 256 esp-sha-hmac

crypto map cisco 10 ipsec-isakmp

set peer 2.2.2.2

set trans cisco

match address 101

set security life sec 3600

set pfs group5


interface F0/0

address 1.1.1.1 255.2552.255.240

crypto map cisco



PixB config:

isakmp identity address

isakmp enable outside

isakmp key cisco address 1.1.1.1 no-xauth

access-list nonat permit ip 10.105.0.0 255.255.255.0 192.168.103.0 255.255.255.0

access-list VPN permit ip 192.168.103.0 255.255.255.0 any

access-list 101 permit ip 10.105.0.0 255.255.255.0 192.168.103.0 255.255.255.0

access-list 101 permit ip any 192.168.103.0 255.255.255.0

nat (outside) 1 access-list VPN

global (outside) 1 interface

nat (inside) 1 0 0

nat (inside) 0 access-list nonat

same-security-traffic permit intra-interface

sysopt connection permit-ipsec

isakmp pol 1 auth pre

isakmp pol 1 encr aes-256

isakmp pol 1 hash sha

isakmp pol 1 group 5

isakmp pol 1 life 86400

crypto ipsec trans cisco esp-aes-256 esp-sha-hmac

crypto map cisco 10 ipsec-isakmp

crypto map cisco 10 set peer 1.1.1.1

crypto map cisco 10 set trans cisco

crypto map cisco 10 set group5

crypto map cisco 10 match address 101

crypto map cisco 10 set security life second 3600

crypto map cisco interface outside




now traffics from network 192.168.103.0/24 going to the Internet

will have to go over to the Pix firewall at the HQ side.


As I've said before, it is so easy even cavemen can do it

(Geico comercial) :-)


CCIE Security

Actions

This Discussion