Pix 506E IPsec site to site VPN Problem

Discussion in 'Cisco' started by t_oldham, Aug 2, 2005.

  1. t_oldham

    t_oldham Guest

    Hello All,

    I am trying to set up two 506E Pix firewalls to use a Site to Site VPN.
    I can get that setup however afterwards my internet will stop working.
    Can anyone help me with what command I need to enter to tell the PIX to
    only route my VPN traffic over the VPN and all other over the internet?
    Also I have PAT enable because I have a e-mail server and a couple
    other things that Have to be accessed from the internet.

    Thanks,

    I can post config if needed.....
     
    t_oldham, Aug 2, 2005
    #1
    1. Advertising

  2. In article <>,
    t_oldham <> wrote:
    :I am trying to set up two 506E Pix firewalls to use a Site to Site VPN.
    :I can get that setup however afterwards my internet will stop working.
    :Can anyone help me with what command I need to enter to tell the PIX to
    :eek:nly route my VPN traffic over the VPN and all other over the internet?

    show run | grep crypto_map

    and look for the 'match address' clause, and edit the access-list
    that is shown there.

    There is no specific "route this over VPN" command: anything that
    matches a crypto map 'match address' will go through VPN, and anything
    that does not match one of the 'match address' ACLs will not go
    through VPN.


    :Also I have PAT enable because I have a e-mail server and a couple
    :eek:ther things that Have to be accessed from the internet.

    Possibly your 'nat (inside) 0 access-list' is too inclusive.
    --
    Entropy is the logarithm of probability -- Boltzmann
     
    Walter Roberson, Aug 2, 2005
    #2
    1. Advertising

  3. t_oldham

    Wil Guest

    grep, hee he... too early to troubleshoot! ;)

    show run | include crypto_map

    Wil
    my 3¢

    Walter Roberson wrote:
    > In article <>,
    > t_oldham <> wrote:
    > :I am trying to set up two 506E Pix firewalls to use a Site to Site VPN.
    > :I can get that setup however afterwards my internet will stop working.
    > :Can anyone help me with what command I need to enter to tell the PIX to
    > :eek:nly route my VPN traffic over the VPN and all other over the internet?
    >
    > show run | grep crypto_map
    >
    > and look for the 'match address' clause, and edit the access-list
    > that is shown there.
    >
    > There is no specific "route this over VPN" command: anything that
    > matches a crypto map 'match address' will go through VPN, and anything
    > that does not match one of the 'match address' ACLs will not go
    > through VPN.
    >
    >
    > :Also I have PAT enable because I have a e-mail server and a couple
    > :eek:ther things that Have to be accessed from the internet.
    >
    > Possibly your 'nat (inside) 0 access-list' is too inclusive.
     
    Wil, Aug 2, 2005
    #3
  4. t_oldham

    JPW Guest

    - Create an access-list specifing the traffic to be protected by the
    VPN
    - Use the 'split-tunnel' command with the defined access list within
    the 'vpngroup' command.
     
    JPW, Aug 12, 2005
    #4
  5. Command to
    only route my VPN traffic over the VPN and all other over the internet?


    Specify in the access-list bind with the crypto process only the crypto
    traffic with permit string .

    For example :
    If a tell with b in cryptography but with the world in cleartext ; a is
    the local network .

    access-list 111 permit a a_mask b b_mask

    The next default rule deny all the traffic , so all the traffic isn't
    encrypted ...
    Next link the access-list on the cryptomap


    Example :

    access-list 100 permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

    access-list 100 permit ip 10.2.2.0 255.255.255.0 10.3.3.0 255.255.255.0



    crypto map newmap 10 ipsec-isakmp
    crypto map newmap 10 match address 110


    Then . permit the traffic ipsec on the network access-list ... in the
    outside ..

    1 ) Permit isakmp
    2) Permit or esp or ah or both esp and ah

    Best regards

    Rocco
     
    security_123@, Aug 12, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Lou Chorich

    Site-to-Site VPN with PIX 506E

    Lou Chorich, Dec 27, 2003, in forum: Cisco
    Replies:
    1
    Views:
    677
    Rik Bain
    Dec 27, 2003
  2. Replies:
    3
    Views:
    3,775
    Jyri Korhonen
    Jun 5, 2005
  3. wtpandar

    PIX 506e Site to site VPN

    wtpandar, Sep 8, 2006, in forum: Cisco
    Replies:
    1
    Views:
    599
    wtpandar
    Sep 8, 2006
  4. cisco
    Replies:
    3
    Views:
    620
    cisco
    Feb 17, 2007
  5. babibv

    Pix 506E: VPN iPsec iPhone

    babibv, Jun 30, 2011, in forum: Cisco
    Replies:
    0
    Views:
    1,255
    babibv
    Jun 30, 2011
Loading...

Share This Page