01-14-2008 12:18 PM - edited 02-21-2020 01:51 AM
I have a vpn ipsec between two pix, but now I want that all internet traffic pass by my central pix , is it possible ?
01-14-2008 12:48 PM
Eric
It's not clear from your description what you want to do. Could you expand on your requirements.
Traffic going down the VPN tunnel is defined by the crypto map access-lists.
Jon
01-14-2008 01:27 PM
I want that my internet traffic from local site A and remote site B (from vpn tunnel ) go from my outside interface of site A .
I want only an outside site for internet traffic.
Regards
01-14-2008 02:16 PM
I am going to show you how to do this. It is so easy
even you will be suprised by it.
LAN_A---RouterA----INTERNET----PixB---LAN_B
LAN_A = 192.168.103.0/24
LAN_B = 10.105.0.0/24
RouterA External IP = 1.1.1.1 (remote office)
PixB outside IP = 2.2.2.2 (HQ)
RouterA config:
access-list 101 permit ip 192.168.103.0 0.0.0.255 any
crypto isakmp key cisco add 2.2.2.2 no-xauth
crypto isakmp keep 10
crypto isakmp pol 1
auth pre
hash sha
encr aes 256
group 5
life 86400
crypto ipsec trans cisco esp-aes 256 esp-sha-hmac
crypto map cisco 10 ipsec-isakmp
set peer 2.2.2.2
set trans cisco
match address 101
set security life sec 3600
set pfs group5
interface F0/0
address 1.1.1.1 255.2552.255.240
crypto map cisco
PixB config:
isakmp identity address
isakmp enable outside
isakmp key cisco address 1.1.1.1 no-xauth
access-list nonat permit ip 10.105.0.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list VPN permit ip 192.168.103.0 255.255.255.0 any
access-list 101 permit ip 10.105.0.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list 101 permit ip any 192.168.103.0 255.255.255.0
nat (outside) 1 access-list VPN
global (outside) 1 interface
nat (inside) 1 0 0
nat (inside) 0 access-list nonat
same-security-traffic permit intra-interface
sysopt connection permit-ipsec
isakmp pol 1 auth pre
isakmp pol 1 encr aes-256
isakmp pol 1 hash sha
isakmp pol 1 group 5
isakmp pol 1 life 86400
crypto ipsec trans cisco esp-aes-256 esp-sha-hmac
crypto map cisco 10 ipsec-isakmp
crypto map cisco 10 set peer 1.1.1.1
crypto map cisco 10 set trans cisco
crypto map cisco 10 set group5
crypto map cisco 10 match address 101
crypto map cisco 10 set security life second 3600
crypto map cisco interface outside
now traffics from network 192.168.103.0/24 going to the Internet
will have to go over to the Pix firewall at the HQ side.
As I've said before, it is so easy even cavemen can do it
(Geico comercial) :-)
CCIE Security
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide