VPN and not ipsec trafic in the same interface

andrey.v.tyurin · ‎08-19-2008

Hi all!

I have a problem! I use outside interface for the easyVPNserver in my PIX 535 (some user use cisco vpn client to connect on my PIX to use some security servers) :

crypto map xxx_map interface outside

isakmp enable outside

bat at the same time I want to pass the ip traffic through (not ip-sec) the same interface "outside". And I see in my syslog server the next:

PIX-6-110001: No route to 10.1.136.11 from 10.1.102.195

I have route table :

route outside 0.0.0.0 0.0.0.0 10.1.0.9 1 OTHER static

10.1.102.195 - It is the address the give me the PIX from it local pool:

ip local pool yyy 10.1.102.129-10.1.102.254

config vpngoup the next:

vpngroup xxxgroup adderss-pool yyy

vpngroup xxxgroup idle-time 1800

vpngroup xxxgroup password ********

Help! is it possible?

andrew.prince · ‎08-20-2008

Andrey,

I "Think" from your descripton you want to do the following on the below url:-

http://www.cisco.com/en/US/customer/products/ps6120/products_tech_note09186a0080734db7.shtml

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

HTH>

andrey.v.tyurin · ‎08-20-2008

Andrew!

I'm sorry, but your links does no open. I see the next:

Forbidden File or Application

The file or application you are trying to access may require additional entitlement or you are trying to access a file with an invalid name. Additional entitlement levels are granted based on a users relationship with Cisco on a per-application basis.

If you feel you have reached this page in error, please try one of the following methods to locate your document:

1. If you are manually entering the URL into your browser location bar, be sure to include the file name of the page you are trying to access (file names typically end in .htm, .html or .shtml).

2. Use the Search feature located in the upper right section of this page.

3. Return to the Cisco.com Home or select a primary site area from the top navigation bar.

4. Consult with your Cisco Account Manager to confirm you have the appropriate entitlement to access this page.

If you would like to contact someone about this problem, please click on the Contacts & Feedback link below.

andrew.prince · ‎08-20-2008

OK,

configure the below in the ASA and re-test:-

same-security-traffic permit intra-interface

HTH>

andrey.v.tyurin · ‎08-20-2008

HI!

I'm soo sorry that I don't tell You. Version of my PIX 6.3(5), and It does not have this command.

andrew.prince · ‎08-21-2008

if you want to take advantage of this feature - you need to upgrade your device to version 7.x or 8.x

HTH>

andrey.v.tyurin · ‎08-22-2008

Sorry but we can not change this version. We have certification for this version only.

You tell that it is possible for version 7. 8.

You don't know how do this in 6.3, am I right?

andrew.prince · ‎08-22-2008

The functionality is not available in the ver 6.x train.