Want a client behind a PIX to access any Outside address w/o IPsec

rgrcommo · ‎05-02-2002

Overall goal is to have client 192.168.30.10 be able to access any Outside IP (surf the net). I have offsite hosts that connect to the client via VPN Client to do som admin stuff. But i also want the client 192.168.30.10 to be able to access the net w/o IPSec. Stuck on this part.

Here is the dump of the PIX:

PIX Version 6.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password -- moderator edit -- encrypted

passwd -- moderator edit -- encrypted

hostname -- moderator edit --

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 101 permit ip 192.168.30.0 255.255.255.0 10.10.5.0 255.255.255.0

access-list 101 permit icmp any any

pager lines 24

logging on

logging console debugging

logging monitor debugging

logging buffered debugging

logging trap debugging

logging history debugging

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 192.168.10.1 255.255.255.248

ip address inside 192.168.30.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool xyzpool 10.10.5.1-10.10.5.254

pdm history enable

arp timeout 14400

global (outside) 1 192.168.10.40

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 192.168.10.1 192.168.30.1 netmask 255.255.255.255 0 0

static (inside,outside) 192.168.10.20 192.168.30.10 netmask 255.255.255.255 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.10.5 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

no floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set xyzset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set xyzset

crypto map xyzmap 10 ipsec-isakmp dynamic dynmap

crypto map xyzmap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup xyz address-pool xyzpool

vpngroup xyz split-tunnel 101

vpngroup xyz idle-time 1800

vpngroup xyz password ********

telnet timeout 5

ssh timeout 5

terminal width 80

---End

bstremp · ‎05-10-2002

Your static for that host should work as long as your gateway router (192.168.10.5) can get him to the Internet. I assume you are running NAT on that router since you’re using all rfc1918 addresses. If the host resided on that outside wire at any point, remember to clear your arp cache on the router and the PIX as MAC addresses have changed. That’s about all I can think about at a glance.

saluko · ‎05-10-2002

The reason your host '192.168.30.10' could not access the Internet is simply because its IP address has not been translated to a legally registered IP address.

Your global command specifies a private address - inorder for any host to communicate on the public network it needs a registered address. Therefore you need to replace the address '192.168.10.40' within your global cmd to a registered address.