Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
278
Views
0
Helpful
1
Replies

Need help on pix firewall

kuldeep.kaur
Level 1
Level 1

‎05-16-2009 06:31 PM - edited ‎03-11-2019 08:33 AM

Hi Guys,

I am new to setting up firewall so need some help on the access list. I have set up a vpn on the pix. What I want is the internet traffic should be natted and go out to the internet and other traffic if destinated to 10.0.0.0 255.0.0.0 should go through the vpn tunnel without natting. So need your guys help to set up access list on the firewall and natting. Please find below the config of the pix:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password TXVwjiULLr7foPi7 encrypted

passwd TXVwjiULLr7foPi7 encrypted

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list ACL_NAT0 permit ip 10.151.251.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list ACL_Inbound permit ip 10.0.0.0 255.0.0.0 10.151.251.0 255.255.255.0

access-list ACL_Outbound permit ip any any

access-list ACL_Outbound permit ip 10.151.251.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list Cryptomap_abc permit ip 10.151.251.0 255.255.255.0 10.0.0.0 255.0.0.0

pager lines 24

logging on

logging buffered errors

logging trap errors

logging history errors

logging facility 17

mtu outside 1500

mtu inside 1500

ip address outside 210.8.X.X 255.255.255.252

ip address inside 10.151.251.251 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list ACL_NAT0

access-group ACL_Inbound in interface outside

access-group ACL_Outbound in interface inside

route outside 0.0.0.0 0.0.0.0 210.8.X.X

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address cryptomap_abc

crypto map outside_map 20 set peer

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 set security-association lifetime seconds 7200 kilobytes 4608000

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 61.X.X.X netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup remote idle-time 1800

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 10.151.251.1 255.255.255.255 inside

ssh timeout 60

console timeout 10

dhcpd address 10.151.251.1-10.151.251.32 inside

dhcpd dns 10.150.246.1 10.150.246.2

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

username norfolk password TgBFC8jS2J3Ix5kt encrypted privilege 15

terminal width 80

Also guys one last thing whether the following configurations is enough if i want the pix to obtain address via pppoe:

vpdn group GRP_NAME request dialout pppoe

vpdn group GRP_NAME localname username@isp

vpdn group GRP_NAME ppp authentication chap

vpdn username username@isp password MY_PASSWORD

ip address outside pppoe setroute

Thank you very much guys.

Labels:
0 Helpful
1 Reply 1

CSCO10905906
Level 1
Level 1

‎05-19-2009 10:30 PM

Hi kuldeep.kaur,

1)Below is the command which will help you to encrypt the VPN traffic only

nat (inside) 0 access-list Cryptomap_abc

2)Please specify the peer ip in the below command

crypto map outside_map 20 set peer 61.X.X.X(missing in running config)

3)Implicitly permit any packet that came from an IPSec tunnel and bypass

the checking of an associated access-list, or access-group

command statement for IPSec connections.

#sysopt connection permit-ipsec

Or

you need to write an ACL what all the traffic you want to allow that came from an IPSec tunnel

and apply on the outside interface.

Rgrds

Naveen

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card