Solved

Pix Default Gateway

Posted on 2008-09-29
17
614 Views
Last Modified: 2012-05-05
Using Cisco VPN client we are establishing a secure IPSEC connection to a PIX box. We want the remote users to then (i.e when on the VPN) to browse the internet. We dont want to use split tunnelling.

Could someone tell us how to setup the default gateway paramter on the pix box so that it is the same as any client within the LAN. I undersatand the overhead of doublde bandwidth but this is ok.

Please provide instructions to use PDM.
0
Comment
Question by:malboteju
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 3
  • +2
17 Comments
 
LVL 11

Expert Comment

by:billwharton
ID: 22601798
I strongly suggest you stay away from pdm as it doesn't work as good as command line. You can also paste commands directly into the pdm console

Follow steps from this link
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/basclnt.html
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22601896
What version PIX? If using 6.x you cannot do it without split-tunneling. You have to be running 7.x or above.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 22601996
Echo lrmoore.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22602823
If you have enough RAM/Flash I highly recommend upgrading your PIX to the latest version (8.0.4). If not enough for 8.x, then at least upgrade to 7.x.
This will enable this feature and also provide you with more modern features and a more secure platform.
0
 

Author Comment

by:malboteju
ID: 22607735
thanks a lot for the info. I am not a full time pix guy but have experienced a few issues with PDM, and have upgraded a couple of boxes to support ASDM sometime ago, which works better, but its about finding downtime to do it.

According to lrmoore can this be certinaly done with Version 7, and possibly runing with ASDM.

RPPreacher mentioned Echo, but did not clarify, is there a solution without upgrading the box.

If possible I prefer to do this without having to stroll thru endless commands. I have always appreciated the solid performance of Pixes. Unfortunate that there are no better GIU support to help busy life of today's admins who has to deal with 100s of different systems everyday.

Cisco PIX Firewall Version 6.3(1)
Cisco PIX Device Manager Version 3.0(1)
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 22607762
I was saying lrmoore is right.

Here's the upgrade procedure, step by step
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml
0
 

Author Comment

by:malboteju
ID: 22607792
ok, thanks :), thought that was some workaround using a command.
0
 

Author Comment

by:malboteju
ID: 22607813
in fact, could someone tell me the steps for doing this using Pix 7, so that I can try it on a different box before bringing down the one in question. That's my last request.

0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 22607849
The above link was for upgrading 6.x to 7.x.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22607897
I still say go ahead and upgrade to the latest - 8.0.4 and ASDM 6.1.3
New features and security patches.
0
 

Author Comment

by:malboteju
ID: 22607956
Thanks Gents.

Just to clarify, I'm after a link or steps for setting up default gateway after upgrading to Pix 7.

Not for upgrading itself.

I have another box (running 7.04 and ASDM 5.04) on which I want to test this before upgrading.

0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22608004
ooohhh. if you mean the default gateway for you to get out to the internet it is simply:

route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY_IP 1
where DEFAULT_GATEWAY_IP = your ISP default gateway!
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22608011
Wait - you mean for remote VPN users don't you.
The thing is that this cannot be done easily in the old software. You must upgrade if you want this to be simple and secure.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22608020
6.x just won't do it. Upgrade to 8 if you've got enough flash/RAM.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 22608118
Here's how to configure it once you've upgraded:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml

Boils down to two simple config lines:
same-security-traffic permit intra-interface
nat (outside) 1 192.168.10.0 255.255.255.0  <==where 1921.68.10.0 = VPN client ip pool subnet

0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22608500
lrmoore's config lines look good and will do it but you must upgrade as stated.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22608510
Just make sure you use the NAT command and not static - statics will the FORCE all traffic through where you say and you won't be able to access either the web or internal resources.
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port# 500 and 4500 not open by ISP 10 92
Bizarre IP Address / Port Blocking Windows 7 13 82
SBS2011 VPN users no longer connecting 4 79
pfsense upgrade from 2.2.6 to 2.3.3 28 92
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question