From: Paul Lalonde (plalonde2@cogeco.ca)
Date: Tue Jun 10 2003 - 13:52:49 GMT-3
Make sure your NAT rules are set up properly. You don't NAT traffic that
goes through the tunnel, but you NAT everything else.
For example:
nat (inside) 1 0 0
nat (inside) 0 access-list myacl
Paul Lalonde
----- Original Message -----
From: "stefan vogt" <stefan-uwe_vogt@web.de>
To: <security@groupstudy.com>
Cc: <ccielab@groupstudy.com>
Sent: Tuesday, June 10, 2003 11:14 AM
Subject: PIX VPN question
> Hello all,
>
> Can somebody help me out with a sample configuration for the following
scenario.
> I have 2 PIX FW at different sites which should be connected using a vpn
tunnel with preshared keys. On my local PIX, only specific traffic should be
sent via the tunnel. The remaining traffic should be sent without encryption
to the internet.
>
> I tryed the following config (addresses changed ;)), but seems I'm missing
something, since the 'normal' internet connectivity is broken.
>
> ---snip---
> access-list myacl permit ip host 172.30.0.1 host 192.168.0.1
> access-list myacl permit ip host 172.30.0.2 host 192.168.0.1
>
>
> crypto ipsec transform-set mytransformset esp-3des esp-sha-hmac
>
> crypto map mymap 10 ipsec isakmp
> crypto map mymap 10 match address myacl
> crypto map mymap 10 set pfs group2
> crypto map mymap 10 set peer 192.168.100.1
> crypto map mymap 10 set transform-set mytransformset
>
> crypto map mymap interface outside
>
> isakmp enable outside
> isakmp key yyy address 192.168.100.1 netmask 255.255.255.255
> isakmp policy 5 authentication pre-share
> isakmp policy 5 encryption 3des
> isakmp policy 5 hash sha
> isakmp policy 5 group 2
> isakmp policy 5 lifetime 86400
> ---snip---
>
> Any input/link/sample config is very wellcome.
>
> TIA,
> Stefan
>
>
>
This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:56 GMT-3