05-16-2009 06:31 PM - edited 03-11-2019 08:33 AM
Hi Guys,
I am new to setting up firewall so need some help on the access list. I have set up a vpn on the pix. What I want is the internet traffic should be natted and go out to the internet and other traffic if destinated to 10.0.0.0 255.0.0.0 should go through the vpn tunnel without natting. So need your guys help to set up access list on the firewall and natting. Please find below the config of the pix:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password TXVwjiULLr7foPi7 encrypted
passwd TXVwjiULLr7foPi7 encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ACL_NAT0 permit ip 10.151.251.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list ACL_Inbound permit ip 10.0.0.0 255.0.0.0 10.151.251.0 255.255.255.0
access-list ACL_Outbound permit ip any any
access-list ACL_Outbound permit ip 10.151.251.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list Cryptomap_abc permit ip 10.151.251.0 255.255.255.0 10.0.0.0 255.0.0.0
pager lines 24
logging on
logging buffered errors
logging trap errors
logging history errors
logging facility 17
mtu outside 1500
mtu inside 1500
ip address outside 210.8.X.X 255.255.255.252
ip address inside 10.151.251.251 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list ACL_NAT0
access-group ACL_Inbound in interface outside
access-group ACL_Outbound in interface inside
route outside 0.0.0.0 0.0.0.0 210.8.X.X
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address cryptomap_abc
crypto map outside_map 20 set peer
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set security-association lifetime seconds 7200 kilobytes 4608000
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 61.X.X.X netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup remote idle-time 1800
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.151.251.1 255.255.255.255 inside
ssh timeout 60
console timeout 10
dhcpd address 10.151.251.1-10.151.251.32 inside
dhcpd dns 10.150.246.1 10.150.246.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
username norfolk password TgBFC8jS2J3Ix5kt encrypted privilege 15
terminal width 80
Also guys one last thing whether the following configurations is enough if i want the pix to obtain address via pppoe:
vpdn group GRP_NAME request dialout pppoe
vpdn group GRP_NAME localname username@isp
vpdn group GRP_NAME ppp authentication chap
vpdn username username@isp password MY_PASSWORD
ip address outside pppoe setroute
Thank you very much guys.
05-19-2009 10:30 PM
Hi kuldeep.kaur,
1)Below is the command which will help you to encrypt the VPN traffic only
nat (inside) 0 access-list Cryptomap_abc
2)Please specify the peer ip in the below command
crypto map outside_map 20 set peer 61.X.X.X(missing in running config)
3)Implicitly permit any packet that came from an IPSec tunnel and bypass
the checking of an associated access-list, or access-group
command statement for IPSec connections.
#sysopt connection permit-ipsec
Or
you need to write an ACL what all the traffic you want to allow that came from an IPSec tunnel
and apply on the outside interface.
Rgrds
Naveen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide