Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   Pix 506E IPsec site to site VPN Problem (http://www.velocityreviews.com/forums/t40322-pix-506e-ipsec-site-to-site-vpn-problem.html)

t_oldham 08-02-2005 01:11 PM

Pix 506E IPsec site to site VPN Problem
 
Hello All,

I am trying to set up two 506E Pix firewalls to use a Site to Site VPN.
I can get that setup however afterwards my internet will stop working.
Can anyone help me with what command I need to enter to tell the PIX to
only route my VPN traffic over the VPN and all other over the internet?
Also I have PAT enable because I have a e-mail server and a couple
other things that Have to be accessed from the internet.

Thanks,

I can post config if needed.....


Walter Roberson 08-02-2005 02:27 PM

Re: Pix 506E IPsec site to site VPN Problem
 
In article <1122988297.719833.185260@g43g2000cwa.googlegroups .com>,
t_oldham <toldham@technical-partners.com> wrote:
:I am trying to set up two 506E Pix firewalls to use a Site to Site VPN.
:I can get that setup however afterwards my internet will stop working.
:Can anyone help me with what command I need to enter to tell the PIX to
:only route my VPN traffic over the VPN and all other over the internet?

show run | grep crypto_map

and look for the 'match address' clause, and edit the access-list
that is shown there.

There is no specific "route this over VPN" command: anything that
matches a crypto map 'match address' will go through VPN, and anything
that does not match one of the 'match address' ACLs will not go
through VPN.


:Also I have PAT enable because I have a e-mail server and a couple
:other things that Have to be accessed from the internet.

Possibly your 'nat (inside) 0 access-list' is too inclusive.
--
Entropy is the logarithm of probability -- Boltzmann

Wil 08-02-2005 02:37 PM

Re: Pix 506E IPsec site to site VPN Problem
 
grep, hee he... too early to troubleshoot! ;)

show run | include crypto_map

Wil
my 3

Walter Roberson wrote:
> In article <1122988297.719833.185260@g43g2000cwa.googlegroups .com>,
> t_oldham <toldham@technical-partners.com> wrote:
> :I am trying to set up two 506E Pix firewalls to use a Site to Site VPN.
> :I can get that setup however afterwards my internet will stop working.
> :Can anyone help me with what command I need to enter to tell the PIX to
> :only route my VPN traffic over the VPN and all other over the internet?
>
> show run | grep crypto_map
>
> and look for the 'match address' clause, and edit the access-list
> that is shown there.
>
> There is no specific "route this over VPN" command: anything that
> matches a crypto map 'match address' will go through VPN, and anything
> that does not match one of the 'match address' ACLs will not go
> through VPN.
>
>
> :Also I have PAT enable because I have a e-mail server and a couple
> :other things that Have to be accessed from the internet.
>
> Possibly your 'nat (inside) 0 access-list' is too inclusive.


JPW 08-12-2005 04:33 AM

Re: Pix 506E IPsec site to site VPN Problem
 
- Create an access-list specifing the traffic to be protected by the
VPN
- Use the 'split-tunnel' command with the defined access list within
the 'vpngroup' command.


security_123@ 08-12-2005 07:55 AM

Re: Pix 506E IPsec site to site VPN Problem
 
Command to
only route my VPN traffic over the VPN and all other over the internet?


Specify in the access-list bind with the crypto process only the crypto
traffic with permit string .

For example :
If a tell with b in cryptography but with the world in cleartext ; a is
the local network .

access-list 111 permit a a_mask b b_mask

The next default rule deny all the traffic , so all the traffic isn't
encrypted ...
Next link the access-list on the cryptomap


Example :

access-list 100 permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 100 permit ip 10.2.2.0 255.255.255.0 10.3.3.0 255.255.255.0



crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 110


Then . permit the traffic ipsec on the network access-list ... in the
outside ..

1 ) Permit isakmp
2) Permit or esp or ah or both esp and ah

Best regards

Rocco



All times are GMT. The time now is 01:16 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.