Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
281
Views
0
Helpful
2
Replies

IPSEC NAT0 and separating internet traffic from tunnel traffic.

jpeter
Level 1
Level 1

‎10-24-2002 06:37 AM - edited ‎02-21-2020 12:08 PM

I have a situation with a Corporate Office PIX connecting to a Branch Office Watchguard via an IPSec tunnel, with internal hosts on the corporate LAN also needing access to the internet as well as an Internal ISA Server publishing ftp,smtp,www,ssl,rdp services to the internet. I've included the config for reference but I'm curious as the whether the following would work as config'd. I haven't tried it live since the IPSec tunnel is not available yet, however, I just wanted to make sure I'm on the right track.

I'm also curious as to why two separate access-lists are needed for internal hosts NAT 0 and the Crypto Map. Wouldn't one suffice, other than for future expandibility?

---------------------------------------------------------------------

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list 101 permit tcp any host 208.24.24.135 eq ftp

access-list 101 permit tcp any host 208.24.24.135 eq smtp

access-list 101 permit tcp any host 208.24.24.135 eq www

access-list 101 permit tcp any host 208.24.24.135 eq 443

access-list 101 permit tcp any host 208.24.24.135 eq 3389

access-list 401 permit ip 192.168.254.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 201 permit ip 192.168.254.0 255.255.255.0 192.168.10.0 255.255.255.0

ip address outside 208.24.24.130 255.255.255.192

ip address inside 192.168.254.1 255.255.255.255

global (outside) 1 208.24.24.180-208.24.24.189 netmask 255.255.255.192

global (outside) 1 208.24.24.190 netmask 255.255.255.192

nat (inside) 0 access-list 401

nat (inside) 1 192.168.254.0 255.255.255.0 0 0

static (inside,outside) 208.24.24.135 192.168.254.253 netmask 255.255.255.255 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 208.24.24.129 1

route inside 192.168.20.0 255.255.255.0 192.168.254.253 1

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set ipsectunnel esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 5000

crypto map ipsecout 21 ipsec-isakmp

crypto map ipsecout 21 match address 201

crypto map ipsecout 21 set peer 212.12.12.230

crypto map ipsecout 21 set transform-set ipsectunnel

crypto map ipsecout interface outside

isakmp enable outside

isakmp key ******** address 212.12.12.230 netmask 255.255.255.255

isakmp identity address

isakmp policy 21 authentication pre-share

isakmp policy 21 encryption 3des

isakmp policy 21 hash md5

isakmp policy 21 group 1

isakmp policy 21 lifetime 86400

Labels:
0 Helpful
2 Replies 2

Nairi Adamian
Cisco Employee
Cisco Employee

‎10-24-2002 07:13 PM

The configuration seems ok. And you are right, one access-list would suffice unless in the future you have different crypto maps with different ACLs.

Hope this helps,

-Nairi

0 Helpful

jpeter
Level 1
Level 1
In response to Nairi Adamian

‎10-24-2002 07:32 PM

Great Thanks! We'll see how it goes...

0 Helpful
Customers Also Viewed These Support Documents