Static route to the net behind ipsec tunnel from pix 506e 6.3(5)

michaelikus · ‎01-15-2009

Good day.

there are networks: 10.30.0.0/24 connected through the pix506e 6.3(5) and 10.0.0.0/24 throug the router 2851 using ipsec.

routers ip are: 10.30.0.254, 10.0.0.254.

Now i need an access from 10.30.0.0/24 to the 10.19.0.0/24 wich behind 10.0.0.0/24.

How i must setup pix? In router configuration it's simply by ip route etc...

But on pix configuration route outside 10.19.0.0 255.255.255.0 10.0.0.254 isn't take effect :(

so scheme will looks like this:

(10.30.0.254 inside)PIX(outside)---INTERNET---c2851(10.0.0.254)---(10.0.0.253)cat3550(10.19.0.1)---

regards,

Michael.

p.s. sorry for my owful english.

andrew.prince · ‎01-15-2009

On the PIX to have to add the 10.19.0.0/24 to the encryption domain access-list and the no-nat access-list. You also need a static route to point the 10.19.0.0/24 out of the outside interface, so the PIX knows it needs to encrypt it.

HTH>

Jon Marshall · ‎01-15-2009

Hi Andrew

"You also need a static route to point the 10.19.0.0/24 out of the outside interface, so the PIX knows it needs to encrypt it."

Not sure you do. As long as the pix knows how to get to the IPSEC peer ie. the 2811 on it's public address then adding the 10.19.0.0/24 network to the crypto map access-list is enough ot make it work. The pix then knows it needs to be encrypted and simply encapsulates the packet and sends it to the public IP of the 2811.

Mind you it's been a while since i set up one of these things so i may be mistaken :-)

Jon

michaelikus · ‎01-15-2009

allready done but no changes.

one more details.

i'm using ipsec on pix behind nat(my provider gived me address using pptp). so i set up the nat-traversal on pix. Maybe problem in it?

--cut--

access-list wan_acl permit ip any any

access-list lan_acl permit ip any any

access-list lan_acl permit icmp any any

access-list t_ipsec permit ip 10.30.0.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list t_ipsec permit ip 10.30.0.0 255.255.255.0 10.19.0.0 255.255.255.0

access-list t_nonat permit ip 10.30.0.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list t_nonat permit ip 10.30.0.0 255.255.255.0 10.19.0.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list t_nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group wan_acl in interface outside

access-group lan_acl in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

route outside 10.19.0.0 255.255.255.0 10.0.0.254 1

crypto ipsec transform-set ts-1 esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto map cm-1 21 ipsec-isakmp

crypto map cm-1 21 match address t_ipsec

crypto map cm-1 21 set peer 89.0.0.10

crypto map cm-1 21 set transform-set ts-1

crypto map cm-1 interface outside

isakmp enable outside

isakmp key ******** address 89.0.0.10 netmask 255.255.255.255

isakmp identity address

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

--end cut--