Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

remove split tunnel from PIX

  • Filter
  • Time
  • Show
Clear All
new posts

  • remove split tunnel from PIX

    I have a PIX firewall that is setup to send site-to-site traffic over the VPN tunnel and other traffic to the Internet. I need to change that to send all traffic over the VPN tunnel so it will get to the Internet through a central site firewall. Here is the configuration. Thanks for any assistance.

    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password uHNmB01qvBSYn/OF encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname Saginaw
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    access-list pp permit ip
    access-list pp permit ip
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 64.199.21.xx
    ip address inside
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list pp
    nat (inside) 1 0 0
    conduit permit icmp any any echo-reply
    conduit permit icmp any any time-exceeded
    conduit permit icmp any any unreachable
    route outside 64.199.21.xx 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http inside
    snmp-server host inside
    snmp-server location SG
    snmp-server contact IT Dept
    snmp-server community PUBLIC
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set paloalto esp-3des esp-sha-hmac
    crypto map pa 20 ipsec-isakmp
    crypto map pa 20 match address pp
    crypto map pa 20 set pfs group2
    crypto map pa 20 set peer 216.234.104.xx
    crypto map pa 20 set transform-set paloalto
    crypto map pa interface outside
    isakmp enable outside
    isakmp key ******** address 216.234.104.xx netmask
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    telnet inside
    telnet inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    username admin password Xt5V.DkDSqLBaZEo encrypted privilege 2
    terminal width 80

  • #2
    Re: remove split tunnel from PIX

    In the posted configuration, the crypto map definition uses access-list "pp" to determine what traffic is encrypted. NAT exclusion (nat 0) also references the same access-list.

    access-list pp permit ip
    access-list pp permit ip
    nat (inside) 0 access-list pp
    crypto map pa 20 match address pp
    To tunnel all traffic, I would suggest changing access-list pp to permit everything (any). Basically, access-list pp will end up with one line after the other two are removed (no). Something like:

    access-list pp permit ip any
    no access-list pp permit ip
    no access-list pp permit ip
    NOTE: If the endpoint of this tunnel is also the central site firewall, you will probably need to modify the NAT statments and/or ACLs on the central site firewall to deal with internet traffic coming from