01-15-2009 02:29 AM - edited 03-06-2019 03:27 AM
Good day.
there are networks: 10.30.0.0/24 connected through the pix506e 6.3(5) and 10.0.0.0/24 throug the router 2851 using ipsec.
routers ip are: 10.30.0.254, 10.0.0.254.
Now i need an access from 10.30.0.0/24 to the 10.19.0.0/24 wich behind 10.0.0.0/24.
How i must setup pix? In router configuration it's simply by ip route etc...
But on pix configuration route outside 10.19.0.0 255.255.255.0 10.0.0.254 isn't take effect :(
so scheme will looks like this:
(10.30.0.254 inside)PIX(outside)---INTERNET---c2851(10.0.0.254)---(10.0.0.253)cat3550(10.19.0.1)---
regards,
Michael.
p.s. sorry for my owful english.
01-15-2009 03:34 AM
On the PIX to have to add the 10.19.0.0/24 to the encryption domain access-list and the no-nat access-list. You also need a static route to point the 10.19.0.0/24 out of the outside interface, so the PIX knows it needs to encrypt it.
HTH>
01-15-2009 03:45 AM
Hi Andrew
"You also need a static route to point the 10.19.0.0/24 out of the outside interface, so the PIX knows it needs to encrypt it."
Not sure you do. As long as the pix knows how to get to the IPSEC peer ie. the 2811 on it's public address then adding the 10.19.0.0/24 network to the crypto map access-list is enough ot make it work. The pix then knows it needs to be encrypted and simply encapsulates the packet and sends it to the public IP of the 2811.
Mind you it's been a while since i set up one of these things so i may be mistaken :-)
Jon
01-15-2009 03:51 AM
allready done but no changes.
one more details.
i'm using ipsec on pix behind nat(my provider gived me address using pptp). so i set up the nat-traversal on pix. Maybe problem in it?
--cut--
access-list wan_acl permit ip any any
access-list lan_acl permit ip any any
access-list lan_acl permit icmp any any
access-list t_ipsec permit ip 10.30.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list t_ipsec permit ip 10.30.0.0 255.255.255.0 10.19.0.0 255.255.255.0
access-list t_nonat permit ip 10.30.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list t_nonat permit ip 10.30.0.0 255.255.255.0 10.19.0.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list t_nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group wan_acl in interface outside
access-group lan_acl in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
route outside 10.19.0.0 255.255.255.0 10.0.0.254 1
crypto ipsec transform-set ts-1 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map cm-1 21 ipsec-isakmp
crypto map cm-1 21 match address t_ipsec
crypto map cm-1 21 set peer 89.0.0.10
crypto map cm-1 21 set transform-set ts-1
crypto map cm-1 interface outside
isakmp enable outside
isakmp key ******** address 89.0.0.10 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
--end cut--
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide