?
Solved

Migrating from D-Link router to PIX 506E and minimizing downtime (With multiple outside ip-addresses)

Posted on 2005-03-09
3
Medium Priority
?
273 Views
Last Modified: 2010-04-17
Hi,

Our company has two sites, our main Office is in the Netherlands and the other is in China.
A goal that we have, is to set up a ipSec VPN tunnel between 2 PIX devices, so we can share network resources.

They gave me a list of 5 ip addressen, ranging from xxx.xxx.xxx.98 to xxx.xxx.xxx.102 and that's it.
Currently there is a working internet connection using a fibre connecting and d-link router DI-804HV

The d-link router has the following static settings:
Connection  Static IP  
IP Address xxx.xxx.xxx.101  
Subnet Mask 255.255.255.248
Gateway xxx.xxx.xxx.97
Domain Name Server 61.147.37.1

Our plan is to migrate to the Cisco PIX 506E and then connect that device to our PIX 515E at our Main office as you can see  in our drawing here http://www.hollandmechanics.com/Network-Situation-HM---HMC.gif

The network in China has been setup now for the right subnet to join the networks, it is now ready to connect to the other site without conflicts in ip adresses.
A temporary switch has been placed behind the d-link and the PIX, that is only used for migrating.
As you can see, the D-link router has xxx.xxx.xxx.101 as its outside adres and the PIX Outside interface is on xxx.xxx.xxx.100
With the 5 ip addresses that we have, i guess it should be possible to access the internet with multiple devices....
But only the d-link router can access internet now!!

When i ping from the PIX to the internet there is no respons (ie. ip address of www.yahoo.com, www.sophos.com)
Only when i ping the following ip addresses, it responds:
xxx.xxx.xxx.97 (Gateway as set in the d-link router)
xxx.xxx.xxx.100 (Outside Intf. PIX)
xxx.xxx.xxx.101 (D-Link router)

This is the current PIX configuration:

: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname FW-HMECH-CHI-01
domain-name hm.nl
clock timezone CET 8
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 192.168.0.0 LAN_PURMEREND
pager lines 24
logging on
logging console emergencies
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.100 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_POOL 10.253.253.1-10.253.253.254
pdm location 10.253.253.0 255.255.255.0 inside
pdm location 10.254.254.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.0.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 xxx.xxx.xxx.102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.97 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 10.253.253.0 255.255.255.0 inside
http 10.254.254.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.0.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet 10.253.253.0 255.255.255.0 inside
telnet 10.254.254.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 60
management-access inside
console timeout 0


as you might understand, as i noted earlyer...
the internet connection works from behind the d-link
but the PIX doen't show any sign that i could connect to the internet , though it can PING to the outside address of the d-link router and with the defaultroute address.

Does anyone know how to solve this bizzare situation?

Best Regards,
Rick Beemsterboer
Netherlands
0
Comment
Question by:rbeemsterboer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 3

Accepted Solution

by:
skpruett earned 1500 total points
ID: 13511388
Hi rbeemsterboer,
First lets fix your ping problem:

conduit permit icmp any any
    - That will allow a ping response from anyone (including the PIX) inside to anyone outside and the appropriate return.

Try pinging from the PIX again and see what you've got. Then ping from a PC inside and see the same. It looks like your DLINK may have also done DHCP or DNS passthrough for you so if you can't resolve a named address, or your PC's need DHCP, let me know I'll give you that config. Now on to some explanation...

nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    -This will allow anyone out, including the PIX itself. So you are okay for NAT which the DLINK probably provided.

global (outside) 1 interface
global (outside) 1 xxx.xxx.xxx.102
    - You really only need the first of these lines. The second one is kind of making a pool but you don't need it, save that address for using for a future server you want to host something on.

As for the VPN config, lets get you working to the internet first. Once that's done I'll help you with that. :)

-skpruett
0
 

Author Comment

by:rbeemsterboer
ID: 13529320
Hi,

Thanks for your response, i have been trying again with the chineze college of my. and it really does seem, that the ISP is blocking some traffic.

A friend of my who is working with cisco devices almost everyday came to the same conclusion.
he was kind enough to login en check what i have setup and tested further.

As i wrote earlyer, it was possible to ping to the gateway, but this is wrong (confussed it with the broadcast address)
From the PIX I can only ping to x.x.x.248 subnet hosts and internally.
When i ping from the d-link to the outside no single host on the internet would still respond.
also from behind the dlink on a workstation, no single response from a internet host.
so icmp is probely closed, but other services have problems also. i did an 'debug packet ...' and saw an incomming packet arrive on port 80 that was from my private address.that was ok! first reponse in long time.
Then i tryed other things as connection with VPN(client) or SSH from outside to the pix. no response!
I got these working on our other pix, but not here and no response when debugging.

so we tryed to use a workstation and aim his gateway to the PIX. but no success.
our only option is to check whenether we replace the PIX with a workstion and see if we can do things from there.

the chineze college said he had contacted the ISP and they told us no ports where closed.
but i am beginning to doubt what he asked!

so not much we can do from here i think.
i am gonna check if the PIX replacement (with PC) works and otherwise call to china ISP and talk with them.
perhaps let other company fix this problem, it is eating away my time for other projects and spare/free time

Regards Rick.

ps. i will get back to this subject

0
 

Author Comment

by:rbeemsterboer
ID: 13587689
For the moment we still have to wait from response from ISP in china, so i will accept your answer, since i don't think i want to continue this subjet. thank you for your response.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question