Migrating from D-Link router to PIX 506E and minimizing downtime (With multiple outside ip-addresses)

Posted on 2005-03-09
Medium Priority
Last Modified: 2010-04-17

Our company has two sites, our main Office is in the Netherlands and the other is in China.
A goal that we have, is to set up a ipSec VPN tunnel between 2 PIX devices, so we can share network resources.

They gave me a list of 5 ip addressen, ranging from xxx.xxx.xxx.98 to xxx.xxx.xxx.102 and that's it.
Currently there is a working internet connection using a fibre connecting and d-link router DI-804HV

The d-link router has the following static settings:
Connection  Static IP  
IP Address xxx.xxx.xxx.101  
Subnet Mask
Gateway xxx.xxx.xxx.97
Domain Name Server

Our plan is to migrate to the Cisco PIX 506E and then connect that device to our PIX 515E at our Main office as you can see  in our drawing here http://www.hollandmechanics.com/Network-Situation-HM---HMC.gif

The network in China has been setup now for the right subnet to join the networks, it is now ready to connect to the other site without conflicts in ip adresses.
A temporary switch has been placed behind the d-link and the PIX, that is only used for migrating.
As you can see, the D-link router has xxx.xxx.xxx.101 as its outside adres and the PIX Outside interface is on xxx.xxx.xxx.100
With the 5 ip addresses that we have, i guess it should be possible to access the internet with multiple devices....
But only the d-link router can access internet now!!

When i ping from the PIX to the internet there is no respons (ie. ip address of www.yahoo.com, www.sophos.com)
Only when i ping the following ip addresses, it responds:
xxx.xxx.xxx.97 (Gateway as set in the d-link router)
xxx.xxx.xxx.100 (Outside Intf. PIX)
xxx.xxx.xxx.101 (D-Link router)

This is the current PIX configuration:

: Saved
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname FW-HMECH-CHI-01
domain-name hm.nl
clock timezone CET 8
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
pager lines 24
logging on
logging console emergencies
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.100
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_POOL
pdm location inside
pdm location inside
pdm location inside
pdm location inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 xxx.xxx.xxx.102
nat (inside) 1 0 0
route outside xxx.xxx.xxx.97 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http inside
http inside
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet inside
telnet inside
telnet inside
telnet inside
telnet timeout 5
ssh timeout 60
management-access inside
console timeout 0

as you might understand, as i noted earlyer...
the internet connection works from behind the d-link
but the PIX doen't show any sign that i could connect to the internet , though it can PING to the outside address of the d-link router and with the defaultroute address.

Does anyone know how to solve this bizzare situation?

Best Regards,
Rick Beemsterboer
Question by:rbeemsterboer
  • 2

Accepted Solution

skpruett earned 1500 total points
ID: 13511388
Hi rbeemsterboer,
First lets fix your ping problem:

conduit permit icmp any any
    - That will allow a ping response from anyone (including the PIX) inside to anyone outside and the appropriate return.

Try pinging from the PIX again and see what you've got. Then ping from a PC inside and see the same. It looks like your DLINK may have also done DHCP or DNS passthrough for you so if you can't resolve a named address, or your PC's need DHCP, let me know I'll give you that config. Now on to some explanation...

nat (inside) 1 0 0
    -This will allow anyone out, including the PIX itself. So you are okay for NAT which the DLINK probably provided.

global (outside) 1 interface
global (outside) 1 xxx.xxx.xxx.102
    - You really only need the first of these lines. The second one is kind of making a pool but you don't need it, save that address for using for a future server you want to host something on.

As for the VPN config, lets get you working to the internet first. Once that's done I'll help you with that. :)


Author Comment

ID: 13529320

Thanks for your response, i have been trying again with the chineze college of my. and it really does seem, that the ISP is blocking some traffic.

A friend of my who is working with cisco devices almost everyday came to the same conclusion.
he was kind enough to login en check what i have setup and tested further.

As i wrote earlyer, it was possible to ping to the gateway, but this is wrong (confussed it with the broadcast address)
From the PIX I can only ping to x.x.x.248 subnet hosts and internally.
When i ping from the d-link to the outside no single host on the internet would still respond.
also from behind the dlink on a workstation, no single response from a internet host.
so icmp is probely closed, but other services have problems also. i did an 'debug packet ...' and saw an incomming packet arrive on port 80 that was from my private address.that was ok! first reponse in long time.
Then i tryed other things as connection with VPN(client) or SSH from outside to the pix. no response!
I got these working on our other pix, but not here and no response when debugging.

so we tryed to use a workstation and aim his gateway to the PIX. but no success.
our only option is to check whenether we replace the PIX with a workstion and see if we can do things from there.

the chineze college said he had contacted the ISP and they told us no ports where closed.
but i am beginning to doubt what he asked!

so not much we can do from here i think.
i am gonna check if the PIX replacement (with PC) works and otherwise call to china ISP and talk with them.
perhaps let other company fix this problem, it is eating away my time for other projects and spare/free time

Regards Rick.

ps. i will get back to this subject


Author Comment

ID: 13587689
For the moment we still have to wait from response from ISP in china, so i will accept your answer, since i don't think i want to continue this subjet. thank you for your response.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question