Need help configuring a Cisco 1721 Router with WIC1 DSU-T1 card and a PIX 501 Firewall for frac/T1 internet access and VPN tunnel to a PIX 515 Firewall.

Posted on 2004-11-09
Medium Priority
Last Modified: 2010-08-05
I am trying to configure a Cisco 1721 Router with T1 WIC card and a Cisco PIX 501 Firewall. I am using the Firewall to create my IPSec tunnel to connect to another PIX location. The PIX E0 will be connected to the E0 of the 1721, and the T1 will connect to the RJ45 port on the WIC card. I would like for someone to look at the configuration below and let me know if this will work, and if I have any configuration problems.

CISCO 1721

Current configuration : 1368 bytes
version 12.3
service tcp-keepalives-in
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname lafayette1
enable secret 5 $1$6cIp$CzYfIuBkGVPr0A9vm4m.A0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
ip name-server
no ftp-server write-enable
interface FastEthernet0
 ip address
 no ip redirects
 speed auto
 no cdp enable
interface Serial0
 ip address
 service-module t1 lbo -7.5db
 service-module t1 timeslots 17-24
 service-module t1 remote-alarm-enable
 no cdp enable
ip classless
ip route Serial0
no ip http server
access-list 1 permit
access-list 101 deny   ip any
access-list 101 permit tcp any any established
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any eq ftp-data any gt 1023
access-list 101 permit udp any any gt 1023
access-list 101 deny   icmp any any redirect
access-list 101 deny   ip any any
no cdp run
snmp-server community public RO
snmp-server enable traps tty
line con 0
line aux 0
line vty 0 4
 password 7 09475B1A0D551A4119

PIX 501

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password WdvoQCeDosMOQheq encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname lafayette

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list 101 permit ip

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 netmask

nat (inside) 0 access-list 101

nat (inside) 1 0 0

route outside 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

crypto ipsec transform-set strong esp-des esp-md5-hmac

crypto map ipsec 1 ipsec-isakmp

crypto map ipsec 1 match address 101

crypto map ipsec 1 set peer xxx.xxx.xxx.xxx

crypto map ipsec 1 set transform-set strong

crypto map ipsec interface outside

isakmp enable outside

isakmp key ******** address xxx.xxx.xxx.xxx netmask

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address inside

dhcpd dns

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80


: end

Question by:NascarFan3
  • 2
LVL 79

Expert Comment

ID: 12539130
First issue I can see is that your IP subnets overlap on your router. You have the same subnet assigned to both interfaces. This is a big no-no, and the router might even choke on it if you try to implement, and tell you that they overlap.

interface FastEthernet0
 ip address
interface Serial0
 ip address

Next issue I see right off the bat is outside IP on the PIX is not in the same subnet as your router's FastEthernet0:
   >ip address outside
Where did that IP address/mask come from?

Yet, you are trying to use the same IP subnet for your global IP as your router's serial interface:
   >global (outside) 1 netmask

Next, you have the router's FE0 interface set to auto speed, full-duplex:
  > interface FastEthernet0
   > speed auto
   > full-duplex

and the PIX's interface to "auto"
   >interface ethernet0 auto

Here's my suggested changes:
   interface FastEthernet0
     ip address
     speed 100
   interface Serial0
     ip unnumbered FastEthernet0

   interface ethernet0 100full
   ip address outside
   global (outside) 1 netmask
   route outside



Author Comment

ID: 12539391
The reason I was trying to use the address on the PIX interface was to keep from having to change the other end of the VPN tunnel. I am setting this up to replace older equipment at a remote site. That way if they hooked the new equipment up and no go, then we could swap back without much downtime. The PIX I have here doesn't like change. I will change it if this is the only way it will work. Is there anything else routing wise that looks out of place?
LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 12539450
Only that your default route on the PIX must be a destination in the same subnet as your outside interface..

> The reason I was trying to use the address on the PIX interface was to keep from having to change the other end of the VPN tunnel
So, does your ISP route to subnet through the 199.227.255.x interface?
If so, you could use on the router's ethernet port, and set the PIX's default to that..

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question