Solved

A cisco 2600, cisco 1700, a pix 501 and a pix 506e

Posted on 2004-08-19
3
465 Views
Last Modified: 2012-08-14
I have a Cisco 2600 with an IP scheme of 128.223.x.x on eth0/0 and 172.30.x.x on eth0/1; and a Cisco Pix 506e also at our office with an inside IP of 172.30.0.1.  The local private LAN has been on a public IP scheme of 128.223.x.x which we are trying to change over to a private scheme of 172.30.x.x.    By the way we can not feasibly switch all connections over in one day because I have six locations connected remotely across a frame-relay where each remote location has a scheme of 128.x.x.x.  All local computers can access the new LAN 172.30.x.x addresses as long as we add a second IP address of 128.223.x.x to the same NIC that has the 172.30.x.x.; this would be ok because the remote computers can talk to their corresponding local router but in turn can not talk to our local router if they are on the new IP scheme even if we add another IP of 128.20.x.x to their NIC’s.  One other caveat is that there is a Linux firewall located at 128.223.2.73 on our local LAN – see IP routes for all devices below.  I would not normally show the last couple of octets but I feel it is relevant in this screwy network.  So basically I need a computer on the local LAN to talk to both the IP scheme and the old IP scheme w/o having two IP’s per NIC. And for the remote locations to do the same via there router back through our local 2600—theirs are 1700’s.  At the remote locations we have a similar setup, a 1700, a pix 501 and a 2003 server.  I apologize that my wording is confusing but this has frustrated me for several weeks and my deadline is about up.rfiscus@altex.com

CISCO 2600:  lines not necessary removed!

interface FastEthernet0/0
 ip address 128.223.2.254 255.255.0.0
 no ip redirects
 duplex auto
 speed auto
interface Serial0/0.200 point-to-point
 description 256k pvc to SA281
 ip address 192.168.255.1 255.255.255.252
 frame-relay interface-dlci 200
  class 256kcir
interface FastEthernet0/1
 ip address 172.30.10.1 255.255.0.0
 duplex auto
 speed auto
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 172.30.0.1
ip route 128.20.0.0 255.255.0.0 192.168.255.2
ip route 128.223.0.0 255.255.0.0 128.223.2.73

PIX 506e:  lines not necessary removed!

interface ethernet0 auto
interface ethernet1 auto
access-list 101 permit tcp any host 24.227.x.x eq www
access-list 101 permit tcp any host 24.227.x.x eq www
access-list 101 permit tcp any host 24.227.x.x eq www
access-list 101 permit tcp any host 24.227.x.x eq www
access-list 101 permit tcp any host 24.227.x.x eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 24.227.x.x 255.255.255.240
ip address inside 172.30.0.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 172.30.0.5 255.255.255.255 inside
pdm location 172.30.0.6 255.255.255.255 inside
pdm location 172.30.0.7 255.255.255.255 inside
pdm location 128.223.0.0 255.255.0.0 inside
pdm location 172.30.0.10 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 24.227.x.x 172.30.0.6 netmask 255.255.255.255 0 0
static (inside,outside) 24.227.x.x 172.30.0.5 netmask 255.255.255.255 0 0
static (inside,outside) 24.227.x.x 172.30.0.7 netmask 255.255.255.255 0 0
static (inside,outside) 24.227.x.x 172.30.0.10 netmask 255.255.255.255 0 0
static (inside,outside) 24.227.x.x 172.30.0.3 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 24.227.x.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 172.30.0.0 255.255.0.0 inside

Their remote Router:  lines not necessary removed!

ip subnet-zero
no ip domain lookup
ip cef
class-map match-all voice-priority
  match access-group 150
policy-map POLICY1
  class voice-priority
   priority 128
  class class-default
   fair-queue
interface BRI0
 no ip address
 shutdown
interface FastEthernet0
 ip address 128.20.0.254 255.255.0.0
 speed auto
interface Serial0
 bandwidth 256
 no ip address
 encapsulation frame-relay IETF
 service-module t1 timeslots 1-4
 frame-relay traffic-shaping
 frame-relay lmi-type ansi
interface Serial0.100 point-to-point
 description 256k pvc to xx Main
 ip address 192.168.255.2 255.255.255.252
 frame-relay interface-dlci 100
  class 256kcir
ip classless
ip route 128.223.0.0 255.255.0.0 192.168.255.1
no ip http server

Their remote PIX:  lines not necessary removed!

PIX Version 6.3(3)
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 24.227.x.x 255.255.255.248
ip address inside 172.30.10.50 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 24.227.x.x 172.30.10.25 netmask 255.255.255.255 0 0
static (inside,outside) 24.227.x.x.132 172.30.10.26 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 24.227.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 172.30.10.25 255.255.255.255 inside

PLEASE HELP!!!???
0
Comment
Question by:rfiscus
  • 2
3 Comments
 
LVL 4

Accepted Solution

by:
bfarmer earned 500 total points
ID: 11848673
A couple of points:

You're using addressing of 172.30.x.x 255.255.0.0 on each of the addresses I see.  This is one big subnet.  You can't do this when you are routing.

Break out each segment into individual class C's:
    172.30.0.0 255.255.255.0
    172.30.1.0 255.255.255.0
    172.30.2.0 255.255.255.0
    ...

Also it looks like from what you've posted you're using static routing, but I don't see any static routes for the 172.30.x.x networks, just the 128.x.x.x

2600:

interface FastEthernet0/0   (assuming your users are here)
 ip address 172.30.1.1 255.255.255.0
 ip address 128.223.2.254 255.255.0.0 secondary

interface FastEthernet0/1
 ip address 172.30.0.2 255.255.255.0

ip route 172.30.10.0 255.255.255.0 192.168.255.2

Remote router:

interface FastEthernet0
 ip address 172.30.10.1 255.255.255.0  (don't see another interface, so assuming this is it...)
 ip address 128.20.0.254 255.255.0.0 secondary

ip route 172.30.0.0 255.255.0.0 192.168.255.1    *Used the 255.255.0.0 assuming the rest of th nets are reached via the 2600

You'll have to tweak your PIX's as well with the proper masks and add an internal route for the 172.30.x.x net's  - at least on the 2600.  The PIX's look to be local on the remote's.
0
 

Author Comment

by:rfiscus
ID: 11853383
You are the man -- it slipped my mind about the class c being needed so that the computers would actually use the router.  Once we did that and assigned the secondary IP it all worked well including the remote stores.  You earned your points for sure.  THANK YOU VERY MUCH!
0
 
LVL 4

Expert Comment

by:bfarmer
ID: 11854665
You're welcome.  
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now