Need help configuring a Cisco 1721 Router with WIC1 DSU-T1 card and a PIX 501 Firewall for frac/T1 internet access and VPN tunnel to a PIX 515 Firewall.

I am trying to configure a Cisco 1721 Router with T1 WIC card and a Cisco PIX 501 Firewall. I am using the Firewall to create my IPSec tunnel to connect to another PIX location. The PIX E0 will be connected to the E0 of the 1721, and the T1 will connect to the RJ45 port on the WIC card. I would like for someone to look at the configuration below and let me know if this will work, and if I have any configuration problems.


CISCO 1721

Current configuration : 1368 bytes
!
version 12.3
service tcp-keepalives-in
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname lafayette1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$6cIp$CzYfIuBkGVPr0A9vm4m.A0
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
!
!
!
ip name-server 207.191.50.10
no ftp-server write-enable
!
!
!
!
interface FastEthernet0
 ip address 199.227.255.2 255.255.255.248
 no ip redirects
 speed auto
 full-duplex
 no cdp enable
!
interface Serial0
 ip address 199.227.255.4 255.255.255.248
 fair-queue
 service-module t1 lbo -7.5db
 service-module t1 timeslots 17-24
 service-module t1 remote-alarm-enable
 no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 permit tcp any any established
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any eq ftp-data any gt 1023
access-list 101 permit udp any any gt 1023
access-list 101 deny   icmp any any redirect
access-list 101 deny   ip any any
no cdp run
snmp-server community public RO
snmp-server enable traps tty
!
line con 0
line aux 0
line vty 0 4
 password 7 09475B1A0D551A4119
 login
!
!
end



PIX 501


PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password WdvoQCeDosMOQheq encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname lafayette

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 101 permit ip 192.168.26.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 207.191.60.174 255.255.255.252

ip address inside 192.168.26.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 199.227.255.3 netmask 255.255.255.248

nat (inside) 0 access-list 101

nat (inside) 1 192.168.0.0 255.255.0.0 0 0

route outside 0.0.0.0 0.0.0.0 199.227.255.2 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

crypto ipsec transform-set strong esp-des esp-md5-hmac

crypto map ipsec 1 ipsec-isakmp

crypto map ipsec 1 match address 101

crypto map ipsec 1 set peer xxx.xxx.xxx.xxx

crypto map ipsec 1 set transform-set strong

crypto map ipsec interface outside

isakmp enable outside

isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.26.200-192.168.26.240 inside

dhcpd dns 207.191.50.10

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:055cebeadccaa53714125030b3691f53

: end

[OK]
NascarFan3Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
First issue I can see is that your IP subnets overlap on your router. You have the same subnet assigned to both interfaces. This is a big no-no, and the router might even choke on it if you try to implement, and tell you that they overlap.

interface FastEthernet0
 ip address 199.227.255.2 255.255.255.248
!
interface Serial0
 ip address 199.227.255.4 255.255.255.248

Next issue I see right off the bat is outside IP on the PIX is not in the same subnet as your router's FastEthernet0:
   >ip address outside 207.191.60.174 255.255.255.252
Where did that IP address/mask come from?

Yet, you are trying to use the same IP subnet for your global IP as your router's serial interface:
   >global (outside) 1 199.227.255.3 netmask 255.255.255.248

Next, you have the router's FE0 interface set to auto speed, full-duplex:
  > interface FastEthernet0
   > speed auto
   > full-duplex

and the PIX's interface to "auto"
   >interface ethernet0 auto

Here's my suggested changes:
ROUTER:
   interface FastEthernet0
     ip address 199.227.255.2 255.255.255.248
     speed 100
     full-duplex
   !
   interface Serial0
     ip unnumbered FastEthernet0

PIX:
   interface ethernet0 100full
   ip address outside 199.227.255.4 255.255.255.248
   global (outside) 1 199.227.255.3 netmask 255.255.255.248
   route outside 0.0.0.0 0.0.0.0 199.227.255.2



   

0
NascarFan3Author Commented:
The reason I was trying to use the 207.191.60.174 address on the PIX interface was to keep from having to change the other end of the VPN tunnel. I am setting this up to replace older equipment at a remote site. That way if they hooked the new equipment up and no go, then we could swap back without much downtime. The PIX I have here doesn't like change. I will change it if this is the only way it will work. Is there anything else routing wise that looks out of place?
0
lrmooreCommented:
Only that your default route on the PIX must be a destination in the same subnet as your outside interface..

> The reason I was trying to use the 207.191.60.174 address on the PIX interface was to keep from having to change the other end of the VPN tunnel
So, does your ISP route to 207.191.60.172 subnet through the 199.227.255.x interface?
If so, you could use 207.191.60.173/30 on the router's ethernet port, and set the PIX's default to that..
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.