04-03-2008 05:49 AM - edited 02-21-2020 03:39 PM
Hi,
I was hoping I could get some help from the group on the following.
I'm working with a PIX that is set up to only do IPSec connections via the internet. I am trying to add the ability to make unencrypted non IPSec connections to the internet.
Below is a copy of the existing PIX config and what I tried adding to get an unencrypted connections to the internet.
Public IP addresses are not real (2.x.x.x & 6.x.x.x)
Seems like this should be simple. I must me missing something. I am attempting to use PAT (the 2.100.211.40 address)
Thanks,
Michael Hurley
04-03-2008 10:13 AM
Hi Michael
no access-list internal_net_access_in extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo
no nat (outside) 0 access-list outside_nat0_outbound
nat (internal_net) 0 access-list outside_nat0_outbound
nat (internal_net) 1 0 0
global (outside) 1 interface
no access-list outside_access_in extended permit icmp 10.0.10.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log
no access-list outside_access_in extended permit icmp 10.0.20.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log
no access-list outside_access_in extended permit icmp 10.0.30.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log
no access-list outside_access_in extended permit icmp 10.0.40.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log
no access-list outside_access_in extended permit icmp 10.0.50.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log
access-list outside_access_in extended permit icmp object-group CoLo 10.11.28.0 255.255.255.0 echo-reply log
no access-group internal_net_access_in in interface internal_net
clear xlate
Regards
04-03-2008 10:47 AM
Huseyin,
Are you suggesting I remove the IPSec stuff just for testing purposes? I may be able to do this.Eventually we need to have some traffic use IPSec and some traffic go directly to the internet.
Michael
04-03-2008 02:38 PM
I am looking at Cisco Document ID 82020 that covers split tunneling. They mention the following: In order to set a split tunneling policy, issue the split-tunnel-policy command in the "group-policy configuration mode".
Can someone tell me how/where to get into the group-policy mode.
Thanks,
Michael
04-04-2008 03:15 AM
Michael,
My above suggestions are not for removing IPSec. It makes the traffic originated from 10.11.28.0 255.255.255.0 and destined to object-group CoLo flow through the IPSec Tunnel, and rest will flow through outside interface without IPSec directly to internet.
Split-tunneling is actually for Remote Access, and has no relationship with your issue.
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: