Need help on pix firewall

Unanswered Question
May 16th, 2009

Hi Guys,

I am new to setting up firewall so need some help on the access list. I have set up a vpn on the pix. What I want is the internet traffic should be natted and go out to the internet and other traffic if destinated to should go through the vpn tunnel without natting. So need your guys help to set up access list on the firewall and natting. Please find below the config of the pix:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password TXVwjiULLr7foPi7 encrypted

passwd TXVwjiULLr7foPi7 encrypted

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list ACL_NAT0 permit ip

access-list ACL_Inbound permit ip

access-list ACL_Outbound permit ip any any

access-list ACL_Outbound permit ip

access-list Cryptomap_abc permit ip

pager lines 24

logging on

logging buffered errors

logging trap errors

logging history errors

logging facility 17

mtu outside 1500

mtu inside 1500

ip address outside 210.8.X.X

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list ACL_NAT0

access-group ACL_Inbound in interface outside

access-group ACL_Outbound in interface inside

route outside 210.8.X.X

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address cryptomap_abc

crypto map outside_map 20 set peer

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 set security-association lifetime seconds 7200 kilobytes 4608000

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 61.X.X.X netmask

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup remote idle-time 1800

telnet timeout 5

ssh outside

ssh inside

ssh timeout 60

console timeout 10

dhcpd address inside

dhcpd dns

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

username norfolk password TgBFC8jS2J3Ix5kt encrypted privilege 15

terminal width 80

Also guys one last thing whether the following configurations is enough if i want the pix to obtain address via pppoe:

vpdn group GRP_NAME request dialout pppoe

vpdn group GRP_NAME localname [email protected]

vpdn group GRP_NAME ppp authentication chap

vpdn username [email protected] password MY_PASSWORD

ip address outside pppoe setroute

Thank you very much guys.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Naveen kumar Tue, 05/19/2009 - 22:30

Hi kuldeep.kaur,

1)Below is the command which will help you to encrypt the VPN traffic only

nat (inside) 0 access-list Cryptomap_abc

2)Please specify the peer ip in the below command

crypto map outside_map 20 set peer 61.X.X.X(missing in running config)

3)Implicitly permit any packet that came from an IPSec tunnel and bypass

the checking of an associated access-list, or access-group

command statement for IPSec connections.

#sysopt connection permit-ipsec


you need to write an ACL what all the traffic you want to allow that came from an IPSec tunnel

and apply on the outside interface.




This Discussion