• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 388
  • Last Modified:

Using a PIX 501 firewall through a Linksys BEFSR41 router.

I have a Verizon DSL connection. I am trying to connect my Cisco PIX firewall through the router back to a Cisco 3000 series concentrator. I also have a Cisco IP Phone attached to the firewall. I know the firewall is establishing a tunnel because the IP phone is up and can talk to the Call Manager server.

When I connect a laptop to the firewall and try to log in it hangs after I enter my credentials and just sits there where it says it is loading my personal settings. After a while it will go to the desktop but the login scripts to not run and I am not able to access any anything on the remote network or the internet.  If have an exemption in the firewall for the MAC address of the phone.

If I hook up the firewall directly into the DSL modem and turn pppoe authentication on in the firewall both the laptop and phone work with no problems. This leads me to beleive that the problem is in the Linksys router, however I can't find any obvious settings in the router that would cause this.

Does anyone know of a setting in the router or the PIX that I can change to fix the problem and allow the laptop to connect?
0
bsloan_wv
Asked:
bsloan_wv
  • 7
  • 5
  • 3
1 Solution
 
magicommincCommented:
I am assuming your PIX has a IPSec site-to-site tunnel to your remote network, and all IPSec traffic coming out of your PIX has to be PATed by that Linksys router, and that is very challenge task for Linksys router and your remote VPN equipment since both have to understand IPSec nat-traversal.

Is there a reason why you have to use that Linksys router?  I suggest that you connect PIX directly to your DSL modem and get a hub or switch connect to your PIX if you need mutiple connections, or simply connect your Linksys router behind PIX.
0
 
lrmooreCommented:
Agree with the above. The Linksys is providing absolutely no value in the mix in front of the PIX and you should consider taking it out.
0
 
bsloan_wvAuthor Commented:
The linksys router it there for this reason. There are three other computer that are not company computers. Our IT policy states that you are not to hook your home computers into the PIX firewall because they can access the network. So, the above configuration is not possible.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
lrmooreCommented:
OK. Got it.
Do you have access to the PIX config?
We can almost rule it out, though, since you can connect just fine without the Linksys in between.
Do you have the IP address that is assigned to the PIX as the DMZ host in the Linksys config?
0
 
bsloan_wvAuthor Commented:
Yes. We had it set that way at one point. I still don't think it worked though. I'll go back and check it.
0
 
lrmooreCommented:
Something else to check.
Default local LAN on Linksys = 192.168.1.x
Default local LAN on PIX = 192.168.1.x

I'm assuming that at least one of them was changed from the default?
0
 
bsloan_wvAuthor Commented:
Yes. We use a 192.168.100.x on the Pix. The Linksys is still using the default. I've seen some other documentation stating that you need to open up ports in the Linksys but they all refer to Microsoft PPTP.
0
 
bsloan_wvAuthor Commented:
Since we have the MAC address for the phone exempted from authentication in the PIX. I thought that some traffic passing the the PIX through the Linksys was being blocked that was neccessary for the laptop to successfully connect in. We were going to test this by exempting the MAC address of the MAC in the PIX and seeing if it could connect.
0
 
lrmooreCommented:
OK, what is the LAN Subnet behind the HQ PIX? I'm just trying to rule out one thing at a time..
Are you using the VPN client on the PC, or is there a constant VPN connection between this PIX and the HQ PIX?
0
 
bsloan_wvAuthor Commented:
The connection is from a constant connection from the PIX 501 to a Cisco 3000 VPN concentrator. IP addressing inside HQ is 172.16.101.x
0
 
magicommincCommented:
so your site-to-site VPN connection is between your <HQ 3005 external IP> and 192.168.1.x, right?
I am assuming that at your pix, "sh cry isa sa" should display something like:
        dst                                 src                  state
<HQ 3005 external IP>       192.168.1.x        QM_IDLE
you should also have a similar ACL at PIX:
access-list nonat permit ip 192.168.100.0 255.255.255.0 172.16.101.0 255.255.255.0
can you confirm?
are you able to "ping" anything on the other side of tunnel? (from HQ ping your laptop, laptop ping any servers in your HQ?)
you mentioned "When I connect a laptop to the firewall and try to log in it hangs after I enter my credentials", where is the server that you try to log in? is that server pingable from your laptop?
One more thing: do you have 192.168.1.x anywhere else in your network?
0
 
bsloan_wvAuthor Commented:
THe laptop has no connectivity and can not ping or be pinged. The access-list statment is not in there or any of our other firewalls and they all work fine. There are multiple firewalls on the range. It has a 255.255.255.248 subnet.
0
 
magicommincCommented:
can you post your firewall configure? you need some sort of ACL for those tunnel traffic.
is this laptop the only that having connectivity problem? can any other PCs ping to other side of tunnel?
One more thing: do you have 192.168.1.x anywhere else in your network?
0
 
bsloan_wvAuthor Commented:
Possibly on one of the DHCP scopes in the other cable or DSL routers. People user either Netgear or Linksys routers for their connections. I only have one laptop to connect. The IP phone is the only other thing connected to the PIX. It works fine. I'll ask about the ACLs.
0
 
lrmooreCommented:
Are you still working on this?
Have you found a solution?
Do you need more information?

This question will be classified as abandoned soon if we don't get some feedback from you.

Can you close out this question? See here for details:
http://www.experts-exchange.com/help.jsp#hs5

Thanks for your attention!
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 7
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now