bsloan_wv
asked on
Using a PIX 501 firewall through a Linksys BEFSR41 router.
I have a Verizon DSL connection. I am trying to connect my Cisco PIX firewall through the router back to a Cisco 3000 series concentrator. I also have a Cisco IP Phone attached to the firewall. I know the firewall is establishing a tunnel because the IP phone is up and can talk to the Call Manager server.
When I connect a laptop to the firewall and try to log in it hangs after I enter my credentials and just sits there where it says it is loading my personal settings. After a while it will go to the desktop but the login scripts to not run and I am not able to access any anything on the remote network or the internet. If have an exemption in the firewall for the MAC address of the phone.
If I hook up the firewall directly into the DSL modem and turn pppoe authentication on in the firewall both the laptop and phone work with no problems. This leads me to beleive that the problem is in the Linksys router, however I can't find any obvious settings in the router that would cause this.
Does anyone know of a setting in the router or the PIX that I can change to fix the problem and allow the laptop to connect?
When I connect a laptop to the firewall and try to log in it hangs after I enter my credentials and just sits there where it says it is loading my personal settings. After a while it will go to the desktop but the login scripts to not run and I am not able to access any anything on the remote network or the internet. If have an exemption in the firewall for the MAC address of the phone.
If I hook up the firewall directly into the DSL modem and turn pppoe authentication on in the firewall both the laptop and phone work with no problems. This leads me to beleive that the problem is in the Linksys router, however I can't find any obvious settings in the router that would cause this.
Does anyone know of a setting in the router or the PIX that I can change to fix the problem and allow the laptop to connect?
Agree with the above. The Linksys is providing absolutely no value in the mix in front of the PIX and you should consider taking it out.
ASKER
The linksys router it there for this reason. There are three other computer that are not company computers. Our IT policy states that you are not to hook your home computers into the PIX firewall because they can access the network. So, the above configuration is not possible.
OK. Got it.
Do you have access to the PIX config?
We can almost rule it out, though, since you can connect just fine without the Linksys in between.
Do you have the IP address that is assigned to the PIX as the DMZ host in the Linksys config?
Do you have access to the PIX config?
We can almost rule it out, though, since you can connect just fine without the Linksys in between.
Do you have the IP address that is assigned to the PIX as the DMZ host in the Linksys config?
ASKER
Yes. We had it set that way at one point. I still don't think it worked though. I'll go back and check it.
Something else to check.
Default local LAN on Linksys = 192.168.1.x
Default local LAN on PIX = 192.168.1.x
I'm assuming that at least one of them was changed from the default?
Default local LAN on Linksys = 192.168.1.x
Default local LAN on PIX = 192.168.1.x
I'm assuming that at least one of them was changed from the default?
ASKER
Yes. We use a 192.168.100.x on the Pix. The Linksys is still using the default. I've seen some other documentation stating that you need to open up ports in the Linksys but they all refer to Microsoft PPTP.
ASKER
Since we have the MAC address for the phone exempted from authentication in the PIX. I thought that some traffic passing the the PIX through the Linksys was being blocked that was neccessary for the laptop to successfully connect in. We were going to test this by exempting the MAC address of the MAC in the PIX and seeing if it could connect.
OK, what is the LAN Subnet behind the HQ PIX? I'm just trying to rule out one thing at a time..
Are you using the VPN client on the PC, or is there a constant VPN connection between this PIX and the HQ PIX?
Are you using the VPN client on the PC, or is there a constant VPN connection between this PIX and the HQ PIX?
ASKER
The connection is from a constant connection from the PIX 501 to a Cisco 3000 VPN concentrator. IP addressing inside HQ is 172.16.101.x
so your site-to-site VPN connection is between your <HQ 3005 external IP> and 192.168.1.x, right?
I am assuming that at your pix, "sh cry isa sa" should display something like:
dst src state
<HQ 3005 external IP> 192.168.1.x QM_IDLE
you should also have a similar ACL at PIX:
access-list nonat permit ip 192.168.100.0 255.255.255.0 172.16.101.0 255.255.255.0
can you confirm?
are you able to "ping" anything on the other side of tunnel? (from HQ ping your laptop, laptop ping any servers in your HQ?)
you mentioned "When I connect a laptop to the firewall and try to log in it hangs after I enter my credentials", where is the server that you try to log in? is that server pingable from your laptop?
One more thing: do you have 192.168.1.x anywhere else in your network?
I am assuming that at your pix, "sh cry isa sa" should display something like:
dst src state
<HQ 3005 external IP> 192.168.1.x QM_IDLE
you should also have a similar ACL at PIX:
access-list nonat permit ip 192.168.100.0 255.255.255.0 172.16.101.0 255.255.255.0
can you confirm?
are you able to "ping" anything on the other side of tunnel? (from HQ ping your laptop, laptop ping any servers in your HQ?)
you mentioned "When I connect a laptop to the firewall and try to log in it hangs after I enter my credentials", where is the server that you try to log in? is that server pingable from your laptop?
One more thing: do you have 192.168.1.x anywhere else in your network?
ASKER
THe laptop has no connectivity and can not ping or be pinged. The access-list statment is not in there or any of our other firewalls and they all work fine. There are multiple firewalls on the range. It has a 255.255.255.248 subnet.
can you post your firewall configure? you need some sort of ACL for those tunnel traffic.
is this laptop the only that having connectivity problem? can any other PCs ping to other side of tunnel?
One more thing: do you have 192.168.1.x anywhere else in your network?
is this laptop the only that having connectivity problem? can any other PCs ping to other side of tunnel?
One more thing: do you have 192.168.1.x anywhere else in your network?
ASKER
Possibly on one of the DHCP scopes in the other cable or DSL routers. People user either Netgear or Linksys routers for their connections. I only have one laptop to connect. The IP phone is the only other thing connected to the PIX. It works fine. I'll ask about the ACLs.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Is there a reason why you have to use that Linksys router? I suggest that you connect PIX directly to your DSL modem and get a hub or switch connect to your PIX if you need mutiple connections, or simply connect your Linksys router behind PIX.