Pix 506E IPsec site to site VPN Problem

In article , t_oldham wrote: :I am trying to set up two 506E Pix firewalls to use a Site to Site VPN. :I can get that setup however afterwards my internet will stop working. :Can anyone help me with what command I need to enter to tell the PIX to :only route my VPN traffic over the VPN and all other over the internet?

show run | grep crypto_map

and look for the 'match address' clause, and edit the access-list that is shown there.

There is no specific "route this over VPN" command: anything that matches a crypto map 'match address' will go through VPN, and anything that does not match one of the 'match address' ACLs will not go through VPN.

:Also I have PAT enable because I have a e-mail server and a couple :other things that Have to be accessed from the internet.

Possibly your 'nat (inside) 0 access-list' is too inclusive.

grep, hee he... too early to troubleshoot! ;)

show run | include crypto_map

Wil my 3¢

Walter Robers> > :I am trying to set up two 506E Pix firewalls to use a Site to Site VPN.

- Create an access-list specifing the traffic to be protected by the VPN

- Use the 'split-tunnel' command with the defined access list within the 'vpngroup' command.

Command to only route my VPN traffic over the VPN and all other over the internet?

Specify in the access-list bind with the crypto process only the crypto traffic with permit string .

For example : If a tell with b in cryptography but with the world in cleartext ; a is the local network .

access-list 111 permit a a_mask b b_mask

The next default rule deny all the traffic , so all the traffic isn't encrypted ... Next link the access-list on the cryptomap

Example :

access-list 100 permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 100 permit ip 10.2.2.0 255.255.255.0 10.3.3.0 255.255.255.0

crypto map newmap 10 ipsec-isakmp crypto map newmap 10 match address 110

Then . permit the traffic ipsec on the network access-list ... in the outside ..

Best regards

Rocco