I have a problem and hope someone can help. I have a Pix 515 configuration which concerns an Internet Bound protection. I need to add a VPN connection to this to a specific site to two pix. I have tried but I lose the internet connection when I set up the VPN. The config is listed below (edited). If I use the standard Sysopt, crypto map and isakmp setup to create the VPN configurations, can someone suggest what else I need in this configuration to retain the internet and mail configuartions as well.
I am asking because although I will be able to figure it out, my deadline on this beast has been drastically shortened and I don't want a major re-configure.
Help is appreciated.
PIX Version 5.3(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password ArPXz6sevH0jgNp3 encrypted
passwd ch08b2riuwGx.j67 encrypted
hostname scully
domain-name rnein.net
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
access-list 110 permit tcp host 10.1.6.102 any eq www
access-list 110 permit tcp host 10.1.6.102 any eq 443
access-list 110 permit tcp host 10.1.6.102 any eq ftp
access-list 110 permit tcp host 10.1.6.102 host ***.***.***.*** eq nntp
access-list 110 permit tcp host 10.1.6.102 host ***.***.***.*** eq nntp
access-list 110 permit udp host 10.1.6.102 host ***.***.***.*** eq domain
access-list 110 permit udp host 10.1.6.102 host ***.***.***.*** eq domain
access-list 110 permit tcp host 10.1.6.106 any eq 22
access-list 110 permit tcp host 10.1.6.103 host ***.***.***.*** eq 22
access-list 110 permit tcp host 10.1.6.103 host ***.***.***.***eq 22
access-list 110 permit tcp host 10.1.6.103 host ***.***.***.*** eq 22
access-list 110 permit tcp host 10.1.6.104 any eq www
access-list 110 permit udp host 10.1.6.104 host ***.***.***.*** eq domain
access-list 110 permit udp host 10.1.6.104 host ***.***.***.*** eq domain
access-list 110 permit udp host 10.1.6.107 host ***.***.***.*** eq domain
access-list 110 permit udp host 10.1.6.107 host ***.***.***.*** eq domain
access-list 110 permit udp host 10.1.6.100 host ***.***.***.*** eq domain
access-list 110 permit udp host 10.1.6.100 host ***.***.***.*** eq domain
access-list 110 permit tcp host 10.1.6.100 any eq smtp
access-list 110 permit icmp host 10.1.6.107 any echo
access-list 110 permit tcp host 10.1.6.107 any eq ftp
access-list 110 permit tcp host 10.1.6.107 any eq www
access-list 110 permit tcp host 10.1.6.107 any eq 443
access-list 110 permit udp host 10.1.6.101 host ***.***.***.*** eq domain
access-list 110 permit udp host 10.1.6.101 host ***.***.***.*** eq domain
access-list 110 permit tcp host 10.1.6.101 any eq smtp
access-list 110 permit tcp host 10.1.6.103 host ***.***.***.*** eq 22
access-list 110 deny icmp any any
access-list 110 permit tcp host 10.1.6.103 host ***.***.***.*** eq 22
access-list 110 permit tcp any any eq domain
access-list 110 permit tcp host 10.1.6.111 any eq smtp
access-list 110 permit udp host 10.1.6.111 host ***.***.***.*** eq domain
access-list 110 permit udp host 10.1.6.111 host ***.***.***.*** eq domain
access-list 110 deny ip any any
access-list 120 permit tcp any host ***.***.***.*** eq smtp
access-list 120 permit tcp any host ***.***.***.*** eq 443
access-list 120 permit icmp any ***.***.***.*** 255.255.255.240 echo-reply
access-list 120 permit icmp any ***.***.***.*** 255.255.255.240 unreachable
access-list 120 permit icmp any ***.***.***.*** 255.255.255.240 time-exceeded
access-list 120 deny icmp any any
access-list 120 permit tcp any host ***.***.***.*** eq smtp
access-list 120 deny ip any any
pager lines 24
logging on
logging timestamp
no logging standby
no logging console
no logging monitor
logging buffered debugging
logging trap debugging
no logging history
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside ***.***.***.*** 255.255.255.192
ip address inside 10.1.6.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 2 ***.***.***.***
global (outside) 3 ***.***.***.***
nat (inside) 2 10.1.6.103 255.255.255.255 0 0
nat (inside) 3 10.1.6.107 255.255.255.255 0 0
static (inside,outside) ***.***.***.*** 10.1.6.101 netmask 255.255.255.255 0 0
static (inside,outside) ***.***.***.*** 10.1.6.100 netmask 255.255.255.255 0 0
static (inside,outside) ***.***.***.*** 10.1.6.102 netmask 255.255.255.255 0 0
static (inside,outside) ***.***.***.*** 10.1.6.104 netmask 255.255.255.255 0 0
static (inside,outside) ***.***.***.*** 10.1.6.111 netmask 255.255.255.255 0 0
access-group 120 in interface outside
access-group 110 in interface inside
route outside 0.0.0.0 0.0.0.0 ***.***.***.*** 1
route inside 10.1.6.96 255.255.255.224 10.1.6.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt security fragguard
no sysopt route dnat
isakmp identity address
telnet timeout 5
ssh timeout 5
terminal width 80
Again....thanks for any help.
I am asking because although I will be able to figure it out, my deadline on this beast has been drastically shortened and I don't want a major re-configure.
Help is appreciated.
PIX Version 5.3(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password ArPXz6sevH0jgNp3 encrypted
passwd ch08b2riuwGx.j67 encrypted
hostname scully
domain-name rnein.net
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
access-list 110 permit tcp host 10.1.6.102 any eq www
access-list 110 permit tcp host 10.1.6.102 any eq 443
access-list 110 permit tcp host 10.1.6.102 any eq ftp
access-list 110 permit tcp host 10.1.6.102 host ***.***.***.*** eq nntp
access-list 110 permit tcp host 10.1.6.102 host ***.***.***.*** eq nntp
access-list 110 permit udp host 10.1.6.102 host ***.***.***.*** eq domain
access-list 110 permit udp host 10.1.6.102 host ***.***.***.*** eq domain
access-list 110 permit tcp host 10.1.6.106 any eq 22
access-list 110 permit tcp host 10.1.6.103 host ***.***.***.*** eq 22
access-list 110 permit tcp host 10.1.6.103 host ***.***.***.***eq 22
access-list 110 permit tcp host 10.1.6.103 host ***.***.***.*** eq 22
access-list 110 permit tcp host 10.1.6.104 any eq www
access-list 110 permit udp host 10.1.6.104 host ***.***.***.*** eq domain
access-list 110 permit udp host 10.1.6.104 host ***.***.***.*** eq domain
access-list 110 permit udp host 10.1.6.107 host ***.***.***.*** eq domain
access-list 110 permit udp host 10.1.6.107 host ***.***.***.*** eq domain
access-list 110 permit udp host 10.1.6.100 host ***.***.***.*** eq domain
access-list 110 permit udp host 10.1.6.100 host ***.***.***.*** eq domain
access-list 110 permit tcp host 10.1.6.100 any eq smtp
access-list 110 permit icmp host 10.1.6.107 any echo
access-list 110 permit tcp host 10.1.6.107 any eq ftp
access-list 110 permit tcp host 10.1.6.107 any eq www
access-list 110 permit tcp host 10.1.6.107 any eq 443
access-list 110 permit udp host 10.1.6.101 host ***.***.***.*** eq domain
access-list 110 permit udp host 10.1.6.101 host ***.***.***.*** eq domain
access-list 110 permit tcp host 10.1.6.101 any eq smtp
access-list 110 permit tcp host 10.1.6.103 host ***.***.***.*** eq 22
access-list 110 deny icmp any any
access-list 110 permit tcp host 10.1.6.103 host ***.***.***.*** eq 22
access-list 110 permit tcp any any eq domain
access-list 110 permit tcp host 10.1.6.111 any eq smtp
access-list 110 permit udp host 10.1.6.111 host ***.***.***.*** eq domain
access-list 110 permit udp host 10.1.6.111 host ***.***.***.*** eq domain
access-list 110 deny ip any any
access-list 120 permit tcp any host ***.***.***.*** eq smtp
access-list 120 permit tcp any host ***.***.***.*** eq 443
access-list 120 permit icmp any ***.***.***.*** 255.255.255.240 echo-reply
access-list 120 permit icmp any ***.***.***.*** 255.255.255.240 unreachable
access-list 120 permit icmp any ***.***.***.*** 255.255.255.240 time-exceeded
access-list 120 deny icmp any any
access-list 120 permit tcp any host ***.***.***.*** eq smtp
access-list 120 deny ip any any
pager lines 24
logging on
logging timestamp
no logging standby
no logging console
no logging monitor
logging buffered debugging
logging trap debugging
no logging history
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside ***.***.***.*** 255.255.255.192
ip address inside 10.1.6.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 2 ***.***.***.***
global (outside) 3 ***.***.***.***
nat (inside) 2 10.1.6.103 255.255.255.255 0 0
nat (inside) 3 10.1.6.107 255.255.255.255 0 0
static (inside,outside) ***.***.***.*** 10.1.6.101 netmask 255.255.255.255 0 0
static (inside,outside) ***.***.***.*** 10.1.6.100 netmask 255.255.255.255 0 0
static (inside,outside) ***.***.***.*** 10.1.6.102 netmask 255.255.255.255 0 0
static (inside,outside) ***.***.***.*** 10.1.6.104 netmask 255.255.255.255 0 0
static (inside,outside) ***.***.***.*** 10.1.6.111 netmask 255.255.255.255 0 0
access-group 120 in interface outside
access-group 110 in interface inside
route outside 0.0.0.0 0.0.0.0 ***.***.***.*** 1
route inside 10.1.6.96 255.255.255.224 10.1.6.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt security fragguard
no sysopt route dnat
isakmp identity address
telnet timeout 5
ssh timeout 5
terminal width 80
Again....thanks for any help.