Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX with VPN

Hi,

I deployed vpn between 3 branches on PIX , now i want to permit all traffic between vpn branches how shall i do this ... here is configuration

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list 110 permit ip 10.0.0.0 255.255.0.0 10.50.0.0 255.255.0.0

access-list 110 permit ip 10.10.0.0 255.255.0.0 10.50.0.0 255.255.0.0

access-list 110 permit ip 10.100.0.0 255.255.0.0 10.50.0.0 255.255.0.0

access-list 110 permit ip 10.110.0.0 255.255.0.0 10.50.0.0 255.255.0.0

access-list 120 permit ip 10.0.0.0 255.255.0.0 10.60.0.0 255.255.0.0

access-list 120 permit ip 10.10.0.0 255.255.0.0 10.60.0.0 255.255.0.0

access-list 120 permit ip 10.100.0.0 255.255.0.0 10.60.0.0 255.255.0.0

access-list 120 permit ip 10.110.0.0 255.255.0.0 10.60.0.0 255.255.0.0

access-list 101 permit ip 10.0.0.0 255.255.0.0 10.50.0.0 255.255.0.0

access-list 101 permit ip 10.10.0.0 255.255.0.0 10.50.0.0 255.255.0.0

access-list 101 permit ip 10.100.0.0 255.255.0.0 10.50.0.0 255.255.0.0

access-list 101 permit ip 10.110.0.0 255.255.0.0 10.50.0.0 255.255.0.0

access-list 101 permit ip 10.0.0.0 255.255.0.0 10.60.0.0 255.255.0.0

access-list 101 permit ip 10.10.0.0 255.255.0.0 10.60.0.0 255.255.0.0

access-list 101 permit ip 10.100.0.0 255.255.0.0 10.60.0.0 255.255.0.0

access-list 101 permit ip 10.110.0.0 255.255.0.0 10.60.0.0 255.255.0.0

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 104 permit icmp any any

access-list 104 permit tcp host 10.0.0.1 any eq 8080

access-list 104 permit tcp host 10.0.0.1 any eq www

access-list 104 permit udp host 10.0.0.1 any eq domain

access-list 104 permit tcp host 10.0.0.6 any eq domain

access-list 104 permit tcp host 10.0.0.6 any eq smtp

access-list 104 permit tcp host 10.0.0.6 any eq pop3

access-list 104 permit tcp host 10.10.0.1 any eq smtp

access-list 104 permit tcp host 10.10.0.1 any eq domain

access-list 104 permit tcp host 10.10.0.1 any eq pop3

access-list 104 permit tcp host 10.100.0.6 any eq smtp

access-list 104 permit tcp host 10.100.0.6 any eq domain

access-list 104 permit tcp host 10.100.0.6 any eq pop3

access-list 104 permit tcp host 10.110.0.1 any eq pop3

access-list 104 permit tcp host 10.110.0.1 any eq smtp

access-list 104 permit tcp host 10.110.0.1 any eq domain

access-list 104 permit udp host 10.0.0.6 any eq domain

access-list 104 permit udp host 10.10.0.1 any eq domain

access-list 104 permit udp host 10.110.0.1 any eq domain

access-list 104 permit udp host 10.100.0.6 any eq domain

access-list 104 permit tcp 10.0.0.0 255.255.0.0 host 10.50.0.1 eq 3389

access-list 104 permit tcp 10.0.0.0 255.255.0.0 host 10.50.0.2 eq 3389

access-list 104 permit tcp 10.0.0.0 255.255.0.0 host 10.50.0.3 eq 3389

access-list 104 permit tcp 10.0.0.0 255.255.0.0 host 10.50.0.4 eq 3389

access-list 104 permit tcp 10.0.0.0 255.255.0.0 host 10.50.0.5 eq 3389

access-list 104 permit tcp 10.0.0.0 255.255.0.0 host 10.50.0.7 eq 3389

pager lines 24

logging console debugging

mtu outside 1500

mtu inside 1500

ip address outside 62.3.47.131 255.255.255.240

ip address inside 10.0.0.11 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400.3.47.137 netmask 255.255.255.240

nat (inside) 0 access-list 101

nat (inside) 1 10.0.0.0 255.255.0.0 0 0

access-group 100 in interface outside

access-group 104 in interface inside

Now its clear that am using 104 for internet traffic , how shall i permit now all traffic between vpn branches ...

access-l 110 permit ip any any

access-l 120 permit ip any any

or some thing else ...

Note: I need all traffic or ports to be opened between branches and only internet & email for internet .

Waiting for your earliest reply

Azhar

2 REPLIES
Bronze

Re: PIX with VPN

Hi,

I would stay away for the "access-l 110 permit ip any any" and use something like this...

access-list 110 permit ip 10.0.0.0 255.255.0.0 any

Hope that helps.

Silver

Re: PIX with VPN

for access-list 104, you will want to allow all traffic between the sites. Lets call your two remote sites b and c

b uses 192.168.0.0/24

c uses 192.168.1.0/24

add

access-list 104 permit ip 10.0.0.0 255.255.0.0 192.168.0.0 255.255.255.0

access-list 104 permit ip 10.0.0.0 255.255.0.0 192.168.1.0 255.255.255.0

then reapply the access list 104 to the inside interface.

Then, you need to start reading up on IPSec configuration.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

is a good example of a pix to pix ipsec configuration. Try to get one site to site tunnel working first, and then try to get both working

92
Views
0
Helpful
2
Replies
CreatePlease login to create content