Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSEC NAT0 and separating internet traffic from tunnel traffic.

I have a situation with a Corporate Office PIX connecting to a Branch Office Watchguard via an IPSec tunnel, with internal hosts on the corporate LAN also needing access to the internet as well as an Internal ISA Server publishing ftp,smtp,www,ssl,rdp services to the internet. I've included the config for reference but I'm curious as the whether the following would work as config'd. I haven't tried it live since the IPSec tunnel is not available yet, however, I just wanted to make sure I'm on the right track.

I'm also curious as to why two separate access-lists are needed for internal hosts NAT 0 and the Crypto Map. Wouldn't one suffice, other than for future expandibility?

---------------------------------------------------------------------

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list 101 permit tcp any host 208.24.24.135 eq ftp

access-list 101 permit tcp any host 208.24.24.135 eq smtp

access-list 101 permit tcp any host 208.24.24.135 eq www

access-list 101 permit tcp any host 208.24.24.135 eq 443

access-list 101 permit tcp any host 208.24.24.135 eq 3389

access-list 401 permit ip 192.168.254.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 201 permit ip 192.168.254.0 255.255.255.0 192.168.10.0 255.255.255.0

ip address outside 208.24.24.130 255.255.255.192

ip address inside 192.168.254.1 255.255.255.255

global (outside) 1 208.24.24.180-208.24.24.189 netmask 255.255.255.192

global (outside) 1 208.24.24.190 netmask 255.255.255.192

nat (inside) 0 access-list 401

nat (inside) 1 192.168.254.0 255.255.255.0 0 0

static (inside,outside) 208.24.24.135 192.168.254.253 netmask 255.255.255.255 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 208.24.24.129 1

route inside 192.168.20.0 255.255.255.0 192.168.254.253 1

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set ipsectunnel esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 5000

crypto map ipsecout 21 ipsec-isakmp

crypto map ipsecout 21 match address 201

crypto map ipsecout 21 set peer 212.12.12.230

crypto map ipsecout 21 set transform-set ipsectunnel

crypto map ipsecout interface outside

isakmp enable outside

isakmp key ******** address 212.12.12.230 netmask 255.255.255.255

isakmp identity address

isakmp policy 21 authentication pre-share

isakmp policy 21 encryption 3des

isakmp policy 21 hash md5

isakmp policy 21 group 1

isakmp policy 21 lifetime 86400

2 REPLIES
Cisco Employee

Re: IPSEC NAT0 and separating internet traffic from tunnel traff

The configuration seems ok. And you are right, one access-list would suffice unless in the future you have different crypto maps with different ACLs.

Hope this helps,

-Nairi

New Member

Re: IPSEC NAT0 and separating internet traffic from tunnel traff

Great Thanks! We'll see how it goes...

95
Views
0
Helpful
2
Replies