Add unencrypted non IPSec to PIX

Unanswered Question
Apr 3rd, 2008

Hi,

I was hoping I could get some help from the group on the following.

I'm working with a PIX that is set up to only do IPSec connections via the internet. I am trying to add the ability to make unencrypted non IPSec connections to the internet.

Below is a copy of the existing PIX config and what I tried adding to get an unencrypted connections to the internet.

Public IP addresses are not real (2.x.x.x & 6.x.x.x)

Seems like this should be simple. I must me missing something. I am attempting to use PAT (the 2.100.211.40 address)

Thanks,

Michael Hurley

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
husycisco Thu, 04/03/2008 - 10:13

Hi Michael

no access-list internal_net_access_in extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo

no nat (outside) 0 access-list outside_nat0_outbound

nat (internal_net) 0 access-list outside_nat0_outbound

nat (internal_net) 1 0 0

global (outside) 1 interface

no access-list outside_access_in extended permit icmp 10.0.10.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log

no access-list outside_access_in extended permit icmp 10.0.20.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log

no access-list outside_access_in extended permit icmp 10.0.30.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log

no access-list outside_access_in extended permit icmp 10.0.40.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log

no access-list outside_access_in extended permit icmp 10.0.50.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log

access-list outside_access_in extended permit icmp object-group CoLo 10.11.28.0 255.255.255.0 echo-reply log

no access-group internal_net_access_in in interface internal_net

clear xlate

Regards

mvhurley9 Thu, 04/03/2008 - 10:47

Huseyin,

Are you suggesting I remove the IPSec stuff just for testing purposes? I may be able to do this.Eventually we need to have some traffic use IPSec and some traffic go directly to the internet.

Michael

mvhurley9 Thu, 04/03/2008 - 14:38

I am looking at Cisco Document ID 82020 that covers split tunneling. They mention the following: In order to set a split tunneling policy, issue the split-tunnel-policy command in the "group-policy configuration mode".

Can someone tell me how/where to get into the group-policy mode.

Thanks,

Michael

husycisco Fri, 04/04/2008 - 03:15

Michael,

My above suggestions are not for removing IPSec. It makes the traffic originated from 10.11.28.0 255.255.255.0 and destined to object-group CoLo flow through the IPSec Tunnel, and rest will flow through outside interface without IPSec directly to internet.

Split-tunneling is actually for Remote Access, and has no relationship with your issue.

Regards

Actions

This Discussion