Pix-to-Pix & Internet

Hi all !

I have Lan1 connected to Lan2 through an internet VPN made with a pix-to-pix connection (IOS 6.3(3))

Lan1 / (default GW is Pix 501(1)) | Pix 501(1) | ADSL Router | ... (Internet) ... | ADSL Router | Pix 501(2) | Lan2 (default GW is Pix 501(2))

This is the configuration of Pix 501(1) without the split-tunnel

access-list 101 permit ip access-list ipsec permit ip ip address outside ip address inside global (outside) 1 interface nat (inside) 0 access-list 101 route outside 1 sysopt connection permit-ipsec crypto ipsec transform-set myset esp-3des esp-sha-hmac crypto map mymap 21 ipsec-isakmp rypto map mymap 21 match address ipsec crypto map mymap 21 set peer crypto map mymap 21 set transform-set myset crypto map mymap interface outside isakmp enable outside isakmp key ******** address netmask no-xauth isakmp identity address isakmp policy 21 authentication pre-share isakmp policy 21 encryption 3des isakmp policy 21 hash sha isakmp policy 21 group 1 isakmp policy 21 lifetime 1000

The VPN is up and running except PC in Lan1 can't surf the web. I've tried the split-tunnel without success but probably I've made a mistake. Any suggestion to surf the web ? Where could I find some useful docs ? Thanks in advance !

Greetings Pi

Reply to
Loading thread data ...

--The following command is missing

nat (inside) 1 0 0

You must configure the PIX to translate your inside-to-internet traffic, and this is done with the commands

nat (inside) 1 0 0 global (outside) 1 interface

-- IPSEC traffic will first trigger nat (inside) 0 access-list 101

and all remaining traffic will trigger nat (inside) 1 0 0

Reply to

mcaissie has correctly pointed out that nat (inside) 1 is missing from the configuration. The global (interface) (x) and nat (interface) (x) should match. Currently you are not natting any traffic and that's why you are not able to go outside. sh xlat will show you nothing without properly aligned global and nat commands.


Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.