Question

Locked

Cisco PIX IPSec

By mvhurley ·
Hi,

I was hoping I could get some help from the group on the following.

I?m working with a PIX that is set up to only do IPSec connections via the internet. I am trying to add the ability to make unencrypted non IPSec connections to the internet.

Below is a copy of the existing PIX config and what I tried adding to get an unencrypted connections to the internet.
Public IP addresses are not real (2.x.x.x & 6.x.x.x) Seems like this should be simple. I am attempting to use PAT (the 2.100.211.40 address)

Thanks,

Michael Hurley


EXISTING CONFIG

PIX Version 7.2(1)
!
hostname pixfirewall
domain-name default.domain.invalid
names
!
interface Ethernet0
description to the outside
nameif outside
security-level 0
ip address 2.100.211.40 255.255.255.0
ospf cost 10
!
interface Ethernet1
description internal office
nameif internal_net
security-level 100
ip address 10.11.28.100 255.255.255.0
ospf cost 10

dns server-group DefaultDNS
domain-name default.domain.invalid

same-security-traffic permit intra-interface

object-group network CoLo
network-object 10.0.10.0 255.255.255.0
network-object 10.0.20.0 255.255.255.0
network-object 10.0.30.0 255.255.255.0
network-object 10.0.40.0 255.255.255.0
network-object 10.0.50.0 255.255.255.0

access-list outside_20_cryptomap extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo access-list outside_nat0_outbound extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo access-list outside_access_in extended permit ip any 2.100.211.40
255.255.255.252 log
access-list outside_access_in extended permit icmp 10.0.10.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log access-list outside_access_in extended permit icmp 10.0.20.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log access-list outside_access_in extended permit icmp 10.0.30.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log access-list outside_access_in extended permit icmp 10.0.40.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log access-list outside_access_in extended permit icmp 10.0.50.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log access-list outside_access_in extended permit tcp 10.0.20.0 255.255.255.0 10.11.28.0 255.255.255.0 eq smtp log access-list outside_access_in extended permit tcp object-group CoLo 10.11.28.0 255.255.255.0 eq 1111 log

access-list internal_net_access_in extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo

nat (outside) 0 access-list outside_nat0_outbound

access-group outside_access_in in interface outside access-group internal_net_access_in in interface internal_net

route outside 0.0.0.0 0.0.0.0 2.100.211.1 1

no sysopt connection permit-vpn

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map outside_map 20 match address outside_20_cryptomap crypto map outside_map 20 set peer 6.45.82.108 crypto map outside_map 20 set transform-set ESP-3DES-SHA crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 tunnel-group 6.45.82.108 type ipsec-l2l tunnel-group 6.45.82.108 ipsec-attributes pre-shared-key *

DON?T KNOW THE BELOW LINES ARE FOR (doesn't seem to be applied anywhere) class-map inspection_default match default-inspection-traffic !
policy-map type inspect dns preset_dns_map parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global


WHAT I ADDED THAT DID NOT WORK
Tested by ping to 209.131.36.158 (yahoo) and ssh and telnet to a couple of public addresses that works using another connection.

nat (inside) 1 0 0

global (outside) 1 2.100.211.40

access-list internal_net_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any echo-reply log

This conversation is currently closed to new comments.

3 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Back to Networks Forum
3 total posts (Page 1 of 1)  

Related Discussions

Related Forums