Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
399
Views
0
Helpful
3
Replies

Site to site VPN problems

ttl-systems
Level 1
Level 1

‎05-28-2007 04:46 AM - edited ‎03-11-2019 03:21 AM

Hi

I need to do site to site connection with two pix 506e firewalls. On the other side is lan and on the other side is customers server. I was able to make a VPN tunnel so that all traffic went trough the vpn tunnel to the server. But after this I couldn't connect to Internet.

My problem is that how to configure the PIX so that internet traffic wouldn't go to the vpn tunnel. I tried to change the tunnel policy so that the tunnel would be only made if destination is the server side PIX but after this the IPsec tunnel wouldn't come up. Only IKE connection was made.

Is this kind of configuration possible with to 506e pix firewalls?

Labels:
0 Helpful
3 Replies 3

srue
Level 7
Level 7

‎05-28-2007 05:15 AM

You need to get NAT configured properly.

use the nat zero command for tunneled traffic..

eg:

if 192.168.1.0/24 is the LAN side, 192.168.2.10 is your server

access-list 100 permit ip 192.168.1.0 255.255.255.0 host 192.168.2.10

nat (inside) 0 access-list 100

the above two commands you enter on the LAN side

below, the commands go on the side of the tunnel where the server is

access-list 100 permit ip host 192.168.2.10 192.168.1.0 255.255.255.0

nat (inside) 0 access-list 100

nat zero exempts traffic from NAT translation and is checked first in the sequence of NAT statements. If a lan side host needs to get to the internet, it will not get nat'ed be/c the ACL has explicitly stated what goes across the tunnel (ie not nat'ed), assuming your tunnel ACL's match accordingly.

if this is still confusing - post a sanitized config.

0 Helpful

ttl-systems
Level 1
Level 1
In response to srue

‎05-29-2007 10:00 AM

I did configuration accrording to: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

Now I can connect to Internet from both lans and there is active ipsec connection between firewalls BUT I can't communicate between lans. Also the ipsec connection can only be started from the other lan.

access-list NoNAT permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

I seem to have to NAT statements (other one must have come after start up wizard, yes I'm newb:):

nat (inside) 0 access-list NoNAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

on the other pix:

nat (inside) 0 access-list NoNAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

I must test without the second statement tomorrow..

0 Helpful

srue
Level 7
Level 7
In response to ttl-systems

‎05-29-2007 10:04 AM

you probably need to post your relevant VPN configs from both sides, including ACL's.

exclude passwords and public IP's of course.

also post output of "sh run sysopt" please, as well as any ACL's applied to outside interfaces at both ends.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card