09-30-2008 06:46 AM
I have a PIX 515E which works VPN wise to a remote site - we are replace the Linksys unit with a Cisco 871W. However I am having problems getting it to route ? I have VPN connected I believe however now connectivity....
ip inspect name Protection tcp
ip inspect name Protection udp
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key werewwerewrwerw address gateway address 197.x.x.54
!
!
crypto ipsec transform-set Support esp-3des esp-md5-hmac
!
crypto map Tunnel-Home 1 ipsec-isakmp
description Remote Support Tunnel
set peer 197.175.175.54
set transform-set Support
match address 100
!
!
bridge irb
!
interface FastEthernet4
ip address 197.175.175.10 255.255.255.0
ip inspect Protection in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map Tunnel-Home
!
interface Vlan1
description iDNA Exhibition
no ip address
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.113.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 197.175.175.1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map Outbound interface FastEthernet4 overload
!
access-list 1 permit 192.168.113.0 0.0.0.255
access-list 1 permit 197.175.175.0 0.0.0.255
access-list 100 permit ip 192.168.113.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.113.0 0.0.0.255 any
no cdp run
!
!
route-map Outbound permit 1
match ip address 101
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^C
----------------------------------------------------------------------------
THIS TERMINAL IS ONLY FOR AUTHORISED ACCESS
IF YOU DO NOT HAVE AUTHORITY OR PERMISSION PLEASE DISCONNECT NOW!
----------------------------------------------------------------------------^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
password *****
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
Thanks
Ed
09-30-2008 08:39 AM
u have problem with return traffic get nated do the following
change the nat ACL
access-list 102 deny ip 192.168.113.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.113.0 0.0.0.255 any
route-map Outbound2 permit 1
match ip address 102
first remove the old nating do:
no ip nat inside source route-map Outbound interface FastEthernet4 overload
now creat the new one with new ACL and route-map:
ip nat inside source route-map Outbound2 interface FastEthernet4 overload
and make sure on the pix u have the sam eidea but on pix the nat exmption will be thorugh NAT 0 that include the return patch
if ur inside interface on pix named as inside u may have somthing like on PIX:
nat (inside) 0 access-list 103
access-list 103 permit ip 192.168.1.0 255.255.255.0 192.168.113.0 255.255.255.0
good luck
if helpful Rate
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide