Need help configuring a Cisco 1721 Router with WIC1 DSU-T1 card and a PIX 501 Firewall for frac/T1 internet access and VPN tunnel to a PIX 515 Firewall.

Posted on 2004-11-09
Last Modified: 2010-08-05
I am trying to configure a Cisco 1721 Router with T1 WIC card and a Cisco PIX 501 Firewall. I am using the Firewall to create my IPSec tunnel to connect to another PIX location. The PIX E0 will be connected to the E0 of the 1721, and the T1 will connect to the RJ45 port on the WIC card. I would like for someone to look at the configuration below and let me know if this will work, and if I have any configuration problems.

CISCO 1721

Current configuration : 1368 bytes
version 12.3
service tcp-keepalives-in
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname lafayette1
enable secret 5 $1$6cIp$CzYfIuBkGVPr0A9vm4m.A0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
ip name-server
no ftp-server write-enable
interface FastEthernet0
 ip address
 no ip redirects
 speed auto
 no cdp enable
interface Serial0
 ip address
 service-module t1 lbo -7.5db
 service-module t1 timeslots 17-24
 service-module t1 remote-alarm-enable
 no cdp enable
ip classless
ip route Serial0
no ip http server
access-list 1 permit
access-list 101 deny   ip any
access-list 101 permit tcp any any established
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any eq ftp-data any gt 1023
access-list 101 permit udp any any gt 1023
access-list 101 deny   icmp any any redirect
access-list 101 deny   ip any any
no cdp run
snmp-server community public RO
snmp-server enable traps tty
line con 0
line aux 0
line vty 0 4
 password 7 09475B1A0D551A4119

PIX 501

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password WdvoQCeDosMOQheq encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname lafayette


fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list 101 permit ip

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 netmask

nat (inside) 0 access-list 101

nat (inside) 1 0 0

route outside 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

crypto ipsec transform-set strong esp-des esp-md5-hmac

crypto map ipsec 1 ipsec-isakmp

crypto map ipsec 1 match address 101

crypto map ipsec 1 set peer

crypto map ipsec 1 set transform-set strong

crypto map ipsec interface outside

isakmp enable outside

isakmp key ******** address netmask

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address inside

dhcpd dns

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80


: end

Question by:NascarFan3
    LVL 79

    Expert Comment

    First issue I can see is that your IP subnets overlap on your router. You have the same subnet assigned to both interfaces. This is a big no-no, and the router might even choke on it if you try to implement, and tell you that they overlap.

    interface FastEthernet0
     ip address
    interface Serial0
     ip address

    Next issue I see right off the bat is outside IP on the PIX is not in the same subnet as your router's FastEthernet0:
       >ip address outside
    Where did that IP address/mask come from?

    Yet, you are trying to use the same IP subnet for your global IP as your router's serial interface:
       >global (outside) 1 netmask

    Next, you have the router's FE0 interface set to auto speed, full-duplex:
      > interface FastEthernet0
       > speed auto
       > full-duplex

    and the PIX's interface to "auto"
       >interface ethernet0 auto

    Here's my suggested changes:
       interface FastEthernet0
         ip address
         speed 100
       interface Serial0
         ip unnumbered FastEthernet0

       interface ethernet0 100full
       ip address outside
       global (outside) 1 netmask
       route outside



    Author Comment

    The reason I was trying to use the address on the PIX interface was to keep from having to change the other end of the VPN tunnel. I am setting this up to replace older equipment at a remote site. That way if they hooked the new equipment up and no go, then we could swap back without much downtime. The PIX I have here doesn't like change. I will change it if this is the only way it will work. Is there anything else routing wise that looks out of place?
    LVL 79

    Accepted Solution

    Only that your default route on the PIX must be a destination in the same subnet as your outside interface..

    > The reason I was trying to use the address on the PIX interface was to keep from having to change the other end of the VPN tunnel
    So, does your ISP route to subnet through the 199.227.255.x interface?
    If so, you could use on the router's ethernet port, and set the PIX's default to that..

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    Wireshark 4 33
    HP Procurve Fault-finder 4 21
    2 websites hosted on premise 6 28
    GRE Trunnel with IPsec Encryption Issue 3 16
    What’s a web proxy server? A proxy server is a server that goes between clients and web servers, used in corporate to enforce corporate browsing policy and ensure security. Proxy servers are commonly used in three modes. A)    Forward proxy …
    I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now