Access to internet by a external firewall and PIX for tunnel

aboguslaw · ‎10-19-2005

Hi.

I have a Pix 501 that establish a tunnel with a VPN 3000 Concentrator. I need that people who works in the network of Pix can access to Corporate applications through the tunnel, but also they need navigate through an external firewall, and not use the tunnel for their access to internet. How can I get this?

I think that is a route problem

The tunnel works fine. So I only trancript the other part of the configuration.

access-list 102 permit ip 192.168.1.0 255.255.255.0 172.11.0.0 255.255.0.0

ip address outside 213.227.15.34 255.255.255.240

ip address inside 192.168.1.1 255.255.255.0

nat (inside) 0 access-list 102

------this is the ip address of the external firewall--------

route inside 0.0.0.0 0.0.0.0 192.168.1.3 1

-------------------------------------------------------------

route outside 172.11.0.0 255.255.0.0 213.227.15.33 1

---this is the IP of the router of the Internet service provider ---

sysopt connection permit-ipsec

Thanks in advance

jackko · ‎10-19-2005

instead of configuing "route outside 172.11.0.0 255.255.0.0 213.227.15.33", it would be better just to configure a default gateway pointing to the isp.

e.g.

no route outside 172.11.0.0 255.255.0.0 213.227.15.33

route outside 0 0 213.227.15.33

with this route configured, pix will forward all outbound packet to the isp.

further, to browse the internet, you would need to nat/pat the lan to a public ip as well.

e.g. to configure pat for internet browsing:

global (outside) 1 interface

nat (inside) 1 0 0

providing you configure the default route and the nat/global statement, and the acl 102 is used as the interesting traffic for the lan-lan vpn, then local user should be able to browse internet directly.