?
Solved

Need help configuring a Cisco 1721 Router with WIC1 DSU-T1 card and a PIX 501 Firewall for frac/T1 internet access and VPN tunnel to a PIX 515 Firewall.

Posted on 2004-11-09
3
Medium Priority
?
2,471 Views
Last Modified: 2010-08-05
I am trying to configure a Cisco 1721 Router with T1 WIC card and a Cisco PIX 501 Firewall. I am using the Firewall to create my IPSec tunnel to connect to another PIX location. The PIX E0 will be connected to the E0 of the 1721, and the T1 will connect to the RJ45 port on the WIC card. I would like for someone to look at the configuration below and let me know if this will work, and if I have any configuration problems.


CISCO 1721

Current configuration : 1368 bytes
!
version 12.3
service tcp-keepalives-in
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname lafayette1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$6cIp$CzYfIuBkGVPr0A9vm4m.A0
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
!
!
!
ip name-server 207.191.50.10
no ftp-server write-enable
!
!
!
!
interface FastEthernet0
 ip address 199.227.255.2 255.255.255.248
 no ip redirects
 speed auto
 full-duplex
 no cdp enable
!
interface Serial0
 ip address 199.227.255.4 255.255.255.248
 fair-queue
 service-module t1 lbo -7.5db
 service-module t1 timeslots 17-24
 service-module t1 remote-alarm-enable
 no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 permit tcp any any established
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any eq ftp-data any gt 1023
access-list 101 permit udp any any gt 1023
access-list 101 deny   icmp any any redirect
access-list 101 deny   ip any any
no cdp run
snmp-server community public RO
snmp-server enable traps tty
!
line con 0
line aux 0
line vty 0 4
 password 7 09475B1A0D551A4119
 login
!
!
end



PIX 501


PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password WdvoQCeDosMOQheq encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname lafayette

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 101 permit ip 192.168.26.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 207.191.60.174 255.255.255.252

ip address inside 192.168.26.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 199.227.255.3 netmask 255.255.255.248

nat (inside) 0 access-list 101

nat (inside) 1 192.168.0.0 255.255.0.0 0 0

route outside 0.0.0.0 0.0.0.0 199.227.255.2 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

crypto ipsec transform-set strong esp-des esp-md5-hmac

crypto map ipsec 1 ipsec-isakmp

crypto map ipsec 1 match address 101

crypto map ipsec 1 set peer xxx.xxx.xxx.xxx

crypto map ipsec 1 set transform-set strong

crypto map ipsec interface outside

isakmp enable outside

isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.26.200-192.168.26.240 inside

dhcpd dns 207.191.50.10

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:055cebeadccaa53714125030b3691f53

: end

[OK]
0
Comment
Question by:NascarFan3
  • 2
3 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12539130
First issue I can see is that your IP subnets overlap on your router. You have the same subnet assigned to both interfaces. This is a big no-no, and the router might even choke on it if you try to implement, and tell you that they overlap.

interface FastEthernet0
 ip address 199.227.255.2 255.255.255.248
!
interface Serial0
 ip address 199.227.255.4 255.255.255.248

Next issue I see right off the bat is outside IP on the PIX is not in the same subnet as your router's FastEthernet0:
   >ip address outside 207.191.60.174 255.255.255.252
Where did that IP address/mask come from?

Yet, you are trying to use the same IP subnet for your global IP as your router's serial interface:
   >global (outside) 1 199.227.255.3 netmask 255.255.255.248

Next, you have the router's FE0 interface set to auto speed, full-duplex:
  > interface FastEthernet0
   > speed auto
   > full-duplex

and the PIX's interface to "auto"
   >interface ethernet0 auto

Here's my suggested changes:
ROUTER:
   interface FastEthernet0
     ip address 199.227.255.2 255.255.255.248
     speed 100
     full-duplex
   !
   interface Serial0
     ip unnumbered FastEthernet0

PIX:
   interface ethernet0 100full
   ip address outside 199.227.255.4 255.255.255.248
   global (outside) 1 199.227.255.3 netmask 255.255.255.248
   route outside 0.0.0.0 0.0.0.0 199.227.255.2



   

0
 

Author Comment

by:NascarFan3
ID: 12539391
The reason I was trying to use the 207.191.60.174 address on the PIX interface was to keep from having to change the other end of the VPN tunnel. I am setting this up to replace older equipment at a remote site. That way if they hooked the new equipment up and no go, then we could swap back without much downtime. The PIX I have here doesn't like change. I will change it if this is the only way it will work. Is there anything else routing wise that looks out of place?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 12539450
Only that your default route on the PIX must be a destination in the same subnet as your outside interface..

> The reason I was trying to use the 207.191.60.174 address on the PIX interface was to keep from having to change the other end of the VPN tunnel
So, does your ISP route to 207.191.60.172 subnet through the 199.227.255.x interface?
If so, you could use 207.191.60.173/30 on the router's ethernet port, and set the PIX's default to that..
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question