Tunneling traffic through the PIX

matt.austin · ‎08-23-2005

I already have a site to site vpn set up with a branch office, and all of the traffic that is defined in the ACL traverses the tunnel. My question has to do with Internet related traffic. Is there a way that I can define all internet traffic to go through the tunnel as well? I do have DNS defined for the dhcp hosts - and the DNS server is on the other side of the tunnel. What am I missing here?

See config below:

TestBox# sh run

: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxxx

hostname TestBox

domain-name blah.blah1.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group network Endpoint_1

description Endpoint_1

network-object 10.0.0.0 255.0.0.0

object-group network Endpoint_2

description Endpoint_2 - Hosts to allow connection to

network-object 10.240.32.0 255.255.255.0

access-list 100 permit ip object-group Endpoint_1 object-group Endpoint_2

access-list 100 permit ip object-group Endpoint_2 object-group Endpoint_1

pager lines 24

logging on

logging buffered debugging

mtu outside 1500

mtu inside 1500

ip address outside *.*.*.* *.*.*.*

ip address inside 10.240.32.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 100

route outside 0.0.0.0 0.0.0.0 *.*.*.* 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

aaa authorization command LOCAL

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set esp-aes256-sha1 esp-aes-256 esp-sha-hmac

crypto map outside 100 ipsec-isakmp

crypto map outside 100 match address 100

crypto map outside 100 set peer *.*.*.*

crypto map outside 100 set transform-set esp-aes256-sha1

crypto map outside interface outside

isakmp enable outside

isakmp key ******** address *.*.*.* netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.240.32.20-10.240.32.30 inside

dhcpd dns (DNS Servers on other side of tunnel)

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain blah.blah1.com

dhcpd enable inside

terminal width 80

Cryptochecksum:xxx

mostiguy · ‎08-26-2005

If you send all traffic back to the main site, the remote site will not have internet access, unless the remote site is configured to use a web proxy at the main site. PIX OS < 7.0 does not allow you to send traffic out the same interface it was received, which is what would be occurring at the main site.