Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
573
Views
0
Helpful
2
Replies

Tunnel Everything Through IPSec

mklaphek
Level 1
Level 1

‎11-21-2005 09:28 AM - edited ‎02-21-2020 02:06 PM

Hi. If this has been asked before, I apologize and please direct me to the post -- I could not find it.

My question is a little unique. I have a community network where different companies can join to share resources. I am working with one company who has two locations connected on this network.. I am trying to set it up such that PIX-A is on the remote end, PIX-C is another company’s PIX, PIX-B is at the main site to terminate the traffic from PIX-A and PIX-C, and PIX-D provides Internet access to local users and users being served from PIX-A.

I know it’s confusing – here’s a basic map below:

Remote Network --> PIX-A --> Community Network --> PIX-B --> Local Company Network --> PIX-D --> Internet

AND

Remote Network --> PIX-A --> Community Network --> PIX-C --> Other Company’s Network

AND

Local Company Network --> PIX-B --> Community Network --> PIX-C --> Other Company’s Network

I have gotten this to work, but it only lasts for a short while and then starts failing again. I’m not sure why it fails, but it just starts.

I’ve tried doing this with basic access-lists; the access-list for PIX-A is below:

!Access List used for access to the Internet and local Corporate LAN:

!

access-list corp deny ip 192.168.103.0 255.255.255.0 10.2.0.0 255.255.0.0

access-list corp deny ip 192.168.103.0 255.255.255.0 10.52.0.0 255.255.0.0

access-list corp permit ip 192.168.103.0 255.255.255.0 any

!

!Access List used to access remote network:

!

access-list remote1 permit ip 192.168.103.0 255.255.255.0 10.2.0.0 255.255.0.0

access-list remote1 permit ip 192.168.103.0 255.255.255.0 10.52.0.0 255.255.0.0

!

!Access List for NAT 0 Statement:

!

access-list no-nat permit ip 192.168.103.0 255.255.255.0 any

Again, ot works for a while, and then stops. I’ve never tried this before – I must be missing something, so any help is appreciated. Thanks!

Mike

Labels:
0 Helpful
2 Replies 2

wdrootz
Level 4
Level 4

‎11-25-2005 12:19 PM

In IPsec transport mode everything will be encrpted .

In this type of encryption the NAT after ipsec.

For more information refer to the following url:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml

0 Helpful

lgurley
Level 1
Level 1
In response to wdrootz

‎11-28-2005 08:22 AM

I have a request to tunnel everything from site B to site A. We want site B's default route to be site A even if traffic is destined for the Internet. This configuration is needed to force traffic through URL filter at site A.

0 Helpful
Customers Also Viewed These Support Documents