PIX VPN question

From: stefan vogt (stefan-uwe_vogt@web.de)
Date: Tue Jun 10 2003 - 12:14:38 GMT-3

Hello all,

Can somebody help me out with a sample configuration for the following scenario.
I have 2 PIX FW at different sites which should be connected using a vpn tunnel with preshared keys. On my local PIX, only specific traffic should be sent via the tunnel. The remaining traffic should be sent without encryption to the internet.

I tryed the following config (addresses changed ;)), but seems I'm missing something, since the 'normal' internet connectivity is broken.

---snip---
access-list myacl permit ip host 172.30.0.1 host 192.168.0.1
access-list myacl permit ip host 172.30.0.2 host 192.168.0.1

crypto ipsec transform-set mytransformset esp-3des esp-sha-hmac

crypto map mymap 10 ipsec isakmp
crypto map mymap 10 match address myacl
crypto map mymap 10 set pfs group2
crypto map mymap 10 set peer 192.168.100.1
crypto map mymap 10 set transform-set mytransformset

crypto map mymap interface outside

isakmp enable outside
isakmp key yyy address 192.168.100.1 netmask 255.255.255.255
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400
---snip---

Any input/link/sample config is very wellcome.

TIA,
Stefan

This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:56 GMT-3