Setup EZVPN to PIX but still use local gateway

[jcbeckettnz]

Hi there,

I would like to setup a VPN tunnel to our main office which has a PIX setup with a work EZVPN. We already have one brach office working with this fine, all traffic is directed through the VPN tunnel.

I am setting up a new branch office but I would like this one to establish the VPN tunnel but still use the local gateway for internet traffic (so all other traffic does not go through the VPN).

Can anyone let me know how I can achieve this?

Main office has a Cisco PIX 515e

New branch office is has a Cisco 851

PIX VPN config:

crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set peer remoteip1 remoteip2
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp log 1000
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup remote123 dns-server int-Liberator int-babel
vpngroup remote123 wins-server int-Liberator
vpngroup remote123 default-domain our.domain
vpngroup remote123 idle-time 1800
vpngroup remote123 password ********

Previous branch office VPN config:

crypto ipsec client ezvpn remote123
connect auto
group remote123 key password
mode network-extension
peer branchip

Thanks

 

[unclerico]

Can you post full scrubbed configs from both devices??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[jcbeckettnz]

Hey there,

PIX config: (name, access-list & static removed)


PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto
interface ethernet5 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 backdmz90 security90
nameif ethernet3 dmz75 security75
nameif ethernet4 frontdmz50 security50
nameif ethernet5 perimeter25 security25
enable password password encrypted
passwd password encrypted
hostname pix
domain-name console.com.au
clock timezone utc 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
fixup protocol tftp 69
names

access-list compiled

no pager
logging on
logging timestamp
logging console informational
logging monitor emergencies
logging trap informational
logging history informational
logging facility 6
logging queue 5512
logging device-id hostname
logging host inside orion
icmp permit any outside
icmp permit any inside
icmp permit any dmz75
mtu outside 1500
mtu inside 1500
mtu backdmz90 1500
mtu dmz75 1500
mtu frontdmz50 1500
mtu perimeter25 1500
ip address outside 203.202.181.177 255.255.255.240
ip address inside 192.168.100.3 255.255.255.0
ip address backdmz90 172.16.2.3 255.255.255.0
ip address dmz75 192.168.110.3 255.255.255.0
ip address frontdmz50 172.16.10.1 255.255.255.0
ip address perimeter25 10.30.30.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface dmz75
ip audit name OutsideAttack attack action alarm drop
ip audit name OutsideInfo info action drop
ip audit interface outside OutsideInfo
ip audit interface outside OutsideAttack
ip audit interface dmz75 OutsideInfo
ip audit interface dmz75 OutsideAttack
ip audit info action
ip audit attack action
ip audit signature 2000 disable
ip audit signature 2004 disable
ip audit signature 2009 disable
ip audit signature 2010 disable
ip audit signature 2150 disable
ip audit signature 2151 disable
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address backdmz90
no failover ip address dmz75
no failover ip address frontdmz50
no failover ip address perimeter25

pdm group DomainControllers inside
pdm group ConsolePrivateIPs inside
pdm group OuboundServicesDestinations outside
pdm group Webmasters inside
pdm group REuploadGroup outside
pdm group transam-group frontdmz50
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 203.202.181.178
global (dmz75) 10 interface
global (frontdmz50) 10 ext-mail
global (perimeter25) 10 interface
nat (inside) 0 access-list NZnonat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (backdmz90) 10 0.0.0.0 0.0.0.0 0 0
nat (dmz75) 10 0.0.0.0 0.0.0.0 0 0
nat (frontdmz50) 10 0.0.0.0 0.0.0.0 0 0
nat (perimeter25) 10 0.0.0.0 0.0.0.0 0 0

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group backdmz90_access_in in interface backdmz90
access-group dmz75_access_in in interface dmz75
access-group frontdmz50_access_in in interface frontdmz50
access-group perimeter25_access_in in interface perimeter25
route outside 0.0.0.0 0.0.0.0 203.202.181.190 1
route inside devlan 255.255.255.0 192.168.100.4 1
route inside 172.24.1.0 255.255.255.0 192.168.100.4 1
route inside bneLAN 255.255.255.0 192.168.100.4 1
route inside sydVLAN101dev 255.255.255.128 192.168.100.4 1
route inside sydVLAN102wir 255.255.255.128 192.168.100.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 192.168.100.254 password timeout 10
aaa-server LOCAL protocol local
aaa authentication match dmz75_authentication_LOCAL dmz75 LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
ntp server int-Liberator source inside prefer
http server enable
http int-alindhardt 255.255.255.255 inside
http int-Liberator 255.255.255.255 inside
http 192.168.100.254 255.255.255.255 inside
http int-defiant 255.255.255.255 inside
http orion 255.255.255.255 inside
snmp-server host inside orion
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
auth-prompt prompt CONSOLE - Access is Restricted, please use proxy.console.com.au 8080 for web access
auth-prompt reject CONSOLE - You are not authorised to access this resource.
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set peer ip1 ip2 ip3
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp log 1000
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup remote123 dns-server int-Liberator int-babel
vpngroup remote123 wins-server int-Liberator
vpngroup remote123 default-domain console.com.au
vpngroup remote123 idle-time 1800
vpngroup remote123 password ********
telnet int-alindhardt 255.255.255.255 inside
telnet int-Liberator 255.255.255.255 inside
telnet orion 255.255.255.255 inside
telnet timeout 15
ssh int-alindhardt 255.255.255.255 inside
ssh timeout 5
console timeout 60
dhcpd dns 203.2.75.2 203.2.75.12
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username localadmin password password encrypted privilege 15
terminal width 80

Branch office config:

show config
Using 3368 out of 29688 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CON-NZ-ROUT1720
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 password
enable password 7 password
!
username localadmin privilege 15 password 7 password
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
!
!
ip dhcp excluded-address 192.168.64.4
!
!
no ip domain lookup
ip name-server 192.168.100.252
ip name-server 192.168.100.99
no ip bootp server
ip cef
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall tftp
ip inspect name firewall ftp
ip inspect name firewall icmp
ip ips po max-events 100
ip ips name intrusion
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
crypto ipsec client ezvpn remote123
connect auto
group remote123 key password
mode network-extension
peer 203.202.181.177
!
!
!
!
interface ATM0
no ip address
atm ilmi-keepalive
bundle en
!
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0.1 point-to-point
pvc 0/100
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
ip address 192.168.64.4 255.255.255.0
speed auto
half-duplex
crypto ipsec client ezvpn remote123 inside
!
interface Dialer0
bandwidth 10000
ip address negotiated
no ip redirects
no ip unreachables
encapsulation ppp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp pap sent-username console@clear.net.nz password 7 password
crypto ipsec client ezvpn remote123
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
!
!
access-list 101 permit tcp 192.168.100.0 0.0.0.255 any eq telnet
access-list 101 permit tcp 203.202.181.0 0.0.0.255 any eq telnet
access-list 101 permit tcp 192.168.100.0 0.0.0.255 any eq 22
access-list 101 permit tcp 203.202.181.0 0.0.0.255 any eq 22
access-list 101 remark Allow Telnet and SSH to VTY
access-list 101 permit tcp 192.168.64.0 0.0.0.255 any eq telnet
access-list 102 remark Incoming traffic
access-list 102 permit ip 192.168.0.0 0.0.255.255 192.168.64.0 0.0.0.255
access-list 102 permit ip 203.202.181.0 0.0.0.255 any
access-list 102 deny ip 0.0.0.0 0.255.255.255 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip 169.254.0.0 0.0.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 198.18.0.0 0.1.255.255 any
access-list 102 deny ip 224.0.0.0 0.15.255.255 any
access-list 102 deny ip any host 255.255.255.255
access-list 102 permit udp any any eq non500-isakmp
access-list 102 permit udp any any eq isakmp
access-list 102 permit esp any any
access-list 102 permit tcp any any eq 1723
access-list 102 permit gre any any
access-list 102 deny icmp any any echo
access-list 102 deny ip any any log
dialer-list 1 protocol ip permit
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
access-class 101 in
password 7 password
login
transport input telnet ssh
transport output none
!
end

 

[Supergrrover]

Take a look at this -

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

See how the access-lists are setup to specify interesting traffic (traffic bound for the other end of the tunnel to be encrypted) and the nat exemption. You will want to mimic this for the new device/tunnel.


Brent
Systems Engineer / Consultant
CCNP, CCSP