Link to home
Start Free TrialLog in
Avatar of rbeemsterboer
rbeemsterboer

asked on

Migrating from D-Link router to PIX 506E and minimizing downtime (With multiple outside ip-addresses)

Hi,

Our company has two sites, our main Office is in the Netherlands and the other is in China.
A goal that we have, is to set up a ipSec VPN tunnel between 2 PIX devices, so we can share network resources.

They gave me a list of 5 ip addressen, ranging from xxx.xxx.xxx.98 to xxx.xxx.xxx.102 and that's it.
Currently there is a working internet connection using a fibre connecting and d-link router DI-804HV

The d-link router has the following static settings:
Connection  Static IP  
IP Address xxx.xxx.xxx.101  
Subnet Mask 255.255.255.248
Gateway xxx.xxx.xxx.97
Domain Name Server 61.147.37.1

Our plan is to migrate to the Cisco PIX 506E and then connect that device to our PIX 515E at our Main office as you can see  in our drawing here http://www.hollandmechanics.com/Network-Situation-HM---HMC.gif

The network in China has been setup now for the right subnet to join the networks, it is now ready to connect to the other site without conflicts in ip adresses.
A temporary switch has been placed behind the d-link and the PIX, that is only used for migrating.
As you can see, the D-link router has xxx.xxx.xxx.101 as its outside adres and the PIX Outside interface is on xxx.xxx.xxx.100
With the 5 ip addresses that we have, i guess it should be possible to access the internet with multiple devices....
But only the d-link router can access internet now!!

When i ping from the PIX to the internet there is no respons (ie. ip address of www.yahoo.com, www.sophos.com)
Only when i ping the following ip addresses, it responds:
xxx.xxx.xxx.97 (Gateway as set in the d-link router)
xxx.xxx.xxx.100 (Outside Intf. PIX)
xxx.xxx.xxx.101 (D-Link router)

This is the current PIX configuration:

: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname FW-HMECH-CHI-01
domain-name hm.nl
clock timezone CET 8
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 192.168.0.0 LAN_PURMEREND
pager lines 24
logging on
logging console emergencies
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.100 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_POOL 10.253.253.1-10.253.253.254
pdm location 10.253.253.0 255.255.255.0 inside
pdm location 10.254.254.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.0.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 xxx.xxx.xxx.102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.97 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 10.253.253.0 255.255.255.0 inside
http 10.254.254.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.0.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet 10.253.253.0 255.255.255.0 inside
telnet 10.254.254.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 60
management-access inside
console timeout 0


as you might understand, as i noted earlyer...
the internet connection works from behind the d-link
but the PIX doen't show any sign that i could connect to the internet , though it can PING to the outside address of the d-link router and with the defaultroute address.

Does anyone know how to solve this bizzare situation?

Best Regards,
Rick Beemsterboer
Netherlands
ASKER CERTIFIED SOLUTION
Avatar of skpruett
skpruett
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of rbeemsterboer
rbeemsterboer

ASKER

Hi,

Thanks for your response, i have been trying again with the chineze college of my. and it really does seem, that the ISP is blocking some traffic.

A friend of my who is working with cisco devices almost everyday came to the same conclusion.
he was kind enough to login en check what i have setup and tested further.

As i wrote earlyer, it was possible to ping to the gateway, but this is wrong (confussed it with the broadcast address)
From the PIX I can only ping to x.x.x.248 subnet hosts and internally.
When i ping from the d-link to the outside no single host on the internet would still respond.
also from behind the dlink on a workstation, no single response from a internet host.
so icmp is probely closed, but other services have problems also. i did an 'debug packet ...' and saw an incomming packet arrive on port 80 that was from my private address.that was ok! first reponse in long time.
Then i tryed other things as connection with VPN(client) or SSH from outside to the pix. no response!
I got these working on our other pix, but not here and no response when debugging.

so we tryed to use a workstation and aim his gateway to the PIX. but no success.
our only option is to check whenether we replace the PIX with a workstion and see if we can do things from there.

the chineze college said he had contacted the ISP and they told us no ports where closed.
but i am beginning to doubt what he asked!

so not much we can do from here i think.
i am gonna check if the PIX replacement (with PC) works and otherwise call to china ISP and talk with them.
perhaps let other company fix this problem, it is eating away my time for other projects and spare/free time

Regards Rick.

ps. i will get back to this subject

For the moment we still have to wait from response from ISP in china, so i will accept your answer, since i don't think i want to continue this subjet. thank you for your response.