05-28-2007 04:46 AM - edited 03-11-2019 03:21 AM
Hi
I need to do site to site connection with two pix 506e firewalls. On the other side is lan and on the other side is customers server. I was able to make a VPN tunnel so that all traffic went trough the vpn tunnel to the server. But after this I couldn't connect to Internet.
My problem is that how to configure the PIX so that internet traffic wouldn't go to the vpn tunnel. I tried to change the tunnel policy so that the tunnel would be only made if destination is the server side PIX but after this the IPsec tunnel wouldn't come up. Only IKE connection was made.
Is this kind of configuration possible with to 506e pix firewalls?
05-28-2007 05:15 AM
You need to get NAT configured properly.
use the nat zero command for tunneled traffic..
eg:
if 192.168.1.0/24 is the LAN side, 192.168.2.10 is your server
access-list 100 permit ip 192.168.1.0 255.255.255.0 host 192.168.2.10
nat (inside) 0 access-list 100
the above two commands you enter on the LAN side
below, the commands go on the side of the tunnel where the server is
access-list 100 permit ip host 192.168.2.10 192.168.1.0 255.255.255.0
nat (inside) 0 access-list 100
nat zero exempts traffic from NAT translation and is checked first in the sequence of NAT statements. If a lan side host needs to get to the internet, it will not get nat'ed be/c the ACL has explicitly stated what goes across the tunnel (ie not nat'ed), assuming your tunnel ACL's match accordingly.
if this is still confusing - post a sanitized config.
05-29-2007 10:00 AM
I did configuration accrording to: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml
Now I can connect to Internet from both lans and there is active ipsec connection between firewalls BUT I can't communicate between lans. Also the ipsec connection can only be started from the other lan.
access-list NoNAT permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
I seem to have to NAT statements (other one must have come after start up wizard, yes I'm newb:):
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
on the other pix:
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
I must test without the second statement tomorrow..
05-29-2007 10:04 AM
you probably need to post your relevant VPN configs from both sides, including ACL's.
exclude passwords and public IP's of course.
also post output of "sh run sysopt" please, as well as any ACL's applied to outside interfaces at both ends.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: