Zub
Guest
|
 Posted: Mon Nov 05, 2007 2:12 pm Post subject: PIX-515E Default routing and cryptos |
 |
|
Afternoon All,
I am having a problem setting up a PIX-515E which has three
interfaces:
- inside (LAN)
- outside (1st ISP)
- outside_eclipse (2nd ISP)
As you can see from the attached config I have added both outside
interfaces to the NAT pool, so static routing defines which traffic
should be pumped out and natted to which interface.
I have placed static routes for all the crypto peers to go out the
outside interface.
When I change the default route to
route outside_eclipse 0.0.0.0 0.0.0.0 <2nd ISP's gw> 1
All non-crypto based traffic works fine however all the site to sites
go down.
I am at a loss as to why the crypto traffic is paying no attention to
the static routes, or is there something wrong with my NAT config?
I appreciate any help or advise
------
removed ssh, telnet, usernames, all the vpngroups, snmp-server, http,
5 splittunnels, ip local pools, a few static nats (inside, outside)
for smtp, many static routes etc
!
!Chassis type: PIX-515E - a PIX
!CPU: Pentium II 433 MHz
!
!Memory: 32 MB RAM
!This PIX has a Restricted (R) license.
!
!
!
!Image: Compiled: on Thu 04-Aug-05 21:40 by morlee
!
!
!
!Flash: flash file system: version:3 magic:0x12345679
!Flash: file 0: origin: 0 length:1978424
!Flash: file 1: origin: 2097152 length:23332
!Flash: file 2: origin: 2228224 length:1927
!Flash: file 3: origin: 2359296 length:3126944
!Flash: file 4: origin: 0 length:0
!Flash: file 5: origin:16646144 length:308
!
!
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 outside_eclipse security0
!enable password <removed>
!passwd <removed>
hostname <removed>
domain-name <removed>
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct
2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network <removed>
description devices allowed to access <removed>
network-object <removed> 255.255.255.0
object-group network <removed>-Permitted_devices
description Devices allowed to access <removed>
network-object <removed> 255.255.255.128
access-list internet_in permit esp any any
access-list internet_in permit udp any any eq isakmp
access-list internet_in permit udp any any eq 50
access-list internet_in permit udp any any eq 51
access-list internet_in permit gre any any
access-list internet_in permit icmp any any
access-list inside_outbound_nat0_acl permit ip any <removed> <removed>
access-list outside_cryptomap_dyn_20 permit ip any <removed> <removed>
access-list outside_cryptomap_dyn_40 permit ip any <removed> <removed>
access-list outside_cryptomap_dyn_60 permit ip any <removed> <removed>
access-list outside_cryptomap_dyn_80 permit ip any <removed> <removed>
access-list outside_cryptomap_20 permit ip <removed>
access-list outside_cryptomap_40 permit ip <removed>
access-list outside_cryptomap_60 permit ip <removed>
access-list outside_cryptomap_80 permit ip <removed>
ip address outside outside 255.255.255.240
ip address inside inside 255.255.255.0
ip address outside_eclipse outside_eclipse 255.255.255.252
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 interface
global (outside_eclipse) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 <removed> 255.255.255.0 0 0
nat (inside) 1 <removed> 255.255.255.0 0 0
nat (inside) 1 <removed> 255.255.255.0 0 0
nat (inside) 1 <removed> 255.255.255.0 0 0
access-group internet_in in interface outside
route outside 0.0.0.0 0.0.0.0 <removed_outside_gw> 1
route outside <removed> 255.255.255.255 <removed_outside_gw> 1
route outside <removed> 255.255.255.255 <removed_outside_gw> 1
route outside <removed> 255.255.255.255 <removed_outside_gw> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address
outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 match address
outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 60 match address
outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 80 match address
outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer <removed>
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set pfs group2
crypto map outside_map 40 set peer <removed>
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer <removed>
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 80 ipsec-isakmp
crypto map outside_map 80 match address outside_cryptomap_80
crypto map outside_map 80 set peer <removed>
crypto map outside_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
crypto map outside_eclipse_map client authentication LOCAL
crypto map outside_eclipse_map interface outside_eclipse
isakmp enable outside
!isakmp key <removed> address <removed> netmask 255.255.255.255 no-
xauth no-config-mode
!isakmp key <removed> address <removed> netmask 255.255.255.255 no-
xauth no-config-mode
!isakmp key <removed> address <removed> netmask 255.255.255.255 no-
xauth no-config-mode
!isakmp key <removed> address <removed> netmask 255.255.255.255 no-
xauth no-config-mode
isakmp nat-traversal 60
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication rsa-sig
isakmp policy 30 encryption des
isakmp policy 30 hash sha
isakmp policy 30 group 1
isakmp policy 30 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash md5
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
isakmp policy 70 authentication pre-share
isakmp policy 70 encryption 3des
isakmp policy 70 hash sha
isakmp policy 70 group 2
isakmp policy 70 lifetime 86400
telnet timeout 5
ssh timeout 15
management-access inside
console timeout 0
terminal width 80
: end |
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Private messages
Log in
