Pix 506E IPsec site to site VPN Problem

Discussion in 'Cisco' started by t_oldham, Aug 2, 2005.

  1. t_oldham

    t_oldham Guest

    Hello All,

    I am trying to set up two 506E Pix firewalls to use a Site to Site VPN.
    I can get that setup however afterwards my internet will stop working.
    Can anyone help me with what command I need to enter to tell the PIX to
    only route my VPN traffic over the VPN and all other over the internet?
    Also I have PAT enable because I have a e-mail server and a couple
    other things that Have to be accessed from the internet.

    Thanks,

    I can post config if needed.....
     
    t_oldham, Aug 2, 2005
    #1
    1. Advertisements

  2. :I am trying to set up two 506E Pix firewalls to use a Site to Site VPN.
    :I can get that setup however afterwards my internet will stop working.
    :Can anyone help me with what command I need to enter to tell the PIX to
    :eek:nly route my VPN traffic over the VPN and all other over the internet?

    show run | grep crypto_map

    and look for the 'match address' clause, and edit the access-list
    that is shown there.

    There is no specific "route this over VPN" command: anything that
    matches a crypto map 'match address' will go through VPN, and anything
    that does not match one of the 'match address' ACLs will not go
    through VPN.


    :Also I have PAT enable because I have a e-mail server and a couple
    :eek:ther things that Have to be accessed from the internet.

    Possibly your 'nat (inside) 0 access-list' is too inclusive.
     
    Walter Roberson, Aug 2, 2005
    #2
    1. Advertisements

  3. t_oldham

    Wil Guest

    grep, hee he... too early to troubleshoot! ;)

    show run | include crypto_map

    Wil
    my 3ยข
     
    Wil, Aug 2, 2005
    #3
  4. t_oldham

    JPW Guest

    - Create an access-list specifing the traffic to be protected by the
    VPN
    - Use the 'split-tunnel' command with the defined access list within
    the 'vpngroup' command.
     
    JPW, Aug 12, 2005
    #4
  5. Command to
    only route my VPN traffic over the VPN and all other over the internet?


    Specify in the access-list bind with the crypto process only the crypto
    traffic with permit string .

    For example :
    If a tell with b in cryptography but with the world in cleartext ; a is
    the local network .

    access-list 111 permit a a_mask b b_mask

    The next default rule deny all the traffic , so all the traffic isn't
    encrypted ...
    Next link the access-list on the cryptomap


    Example :

    access-list 100 permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

    access-list 100 permit ip 10.2.2.0 255.255.255.0 10.3.3.0 255.255.255.0



    crypto map newmap 10 ipsec-isakmp
    crypto map newmap 10 match address 110


    Then . permit the traffic ipsec on the network access-list ... in the
    outside ..

    1 ) Permit isakmp
    2) Permit or esp or ah or both esp and ah

    Best regards

    Rocco
     
    [email protected], Aug 12, 2005
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.