Dear Sir,
I am facing the following problem with my Pix.
I have configured site to site VPN on the pix. Due the fact, that our customer does not route any private IPs, I am sending the VPN traffic through a natted IP (i.e. 125.20.37.240). Also the remote IP, which I am accessing through VPN is also public IP (for ex: 207.69.227.148). So the moment I am enabling internet on my PC the entire traffic for the server 207.69.227.148 goes through internet in stead of VPN tunnel.
I configured VPN as follows.
access-list 80 permit tcp 172.25.173.0 255.255.255.0 host 207.69.227.148 eq https
access-list 90 permit tcp host 125.20.37.240 host 207.69.227.148 eq https
nat (inside) 2 access-list 80 0 0
global (outside) 2 125.20.37.240
I run internet on the PC as follows.
access-list NET1 permit ip host 172.25.173.139 any
nat (inside) 10 access-list NET1 0 0
global (outside) 10 125.20.37.227
1) But the customer wants to run VPN as well as internet on the Local LAN PCs. For the time being I am not running internet on the PCs which are accessing VPN based application. So is there a solution to it?
2) I could ping the IP 207.69.227.148 from the Pix. But when I tried to ping the IP from my PC, its not pinging. For the safer side I have enabled ?conduit permit icmp any any? on the pix. But still its not working. The remote peer has enabled ICMP from their end. So do u have any solution to this question as well.
Also I am attaching the pix config for your kind reference.
Thanks and regards,
Sairam Bharati
9818404250
sairam.bharati@gmail.com
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 90 permit tcp host 125.20.37.240 host 207.69.227.148 eq https
access-list NET1 permit ip host 172.25.173.31 any
access-list NET1 permit ip host 172.25.173.2 any
access-list NET1 permit ip host 172.25.173.80 any
access-list 80 permit tcp 172.25.173.0 255.255.255.0 host 207.69.227.148 eq https
logging on
logging trap warnings
logging host inside 172.25.173.113
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 125.20.37.226 255.255.255.224
ip address inside 172.25.173.4 255.255.255.0
ip address dmz 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 512
pdm history enable
arp timeout 14400
global (outside) 10 125.x.x.227
global (outside) 2 125.x.x.240
global (dmz) 1 10.0.0.10
nat (inside) 10 access-list NET1 0 0
nat (inside) 2 access-list 80 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.x.x.20.37.225 1
sysopt connection permit-ipsec
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
crypto map earthlink 20 ipsec-isakmp
crypto map earthlink 20 match address 90
crypto map earthlink 20 set pfs group2
crypto map earthlink 20 set peer 207.69.172.4
crypto map earthlink 20 set transform-set esp-3des-sha
crypto map earthlink interface outside
isakmp enable outside
isakmp key ******** address 207.69.172.4 netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 2
isakmp policy 9 lifetime 28800
