?
Solved

Configuring a Pix 506e with a 1720 router and static ip dsl.

Posted on 2005-05-08
3
Medium Priority
?
425 Views
Last Modified: 2013-11-16
hello I need someone to walk me through fixing this configuration and possibly making any recommendations that would make this a better setup.  I have a 1720 router with 2 1wic-enet cards, I have 4 static ip's from my isp, and a pix 506e that I would like to get running.  The configs for both are below.  My ip range is 64.142.69.120-123 255.255.255.0.   I can currently ping the gateway from the 1720 but I cannot ping 208.201.224.11 or 33 which are my dns servers.  I can ping my pix.  The setup currently is 64.142.69.120 outside 1720 64.142.69.121 inside, 64.142.69.122 outside pix, 192.168.25.1 inside pix, I also have a 1900 and 2820 switch.  All of this is for learning purposes.  I am very new to this so will need walking through it.  Please don't assume I know a common step.  I will be on tomorrow sometime afternoon to pick this up I have been working on it all night.  I don't think this will be all that difficult but because of the patience involved this is worth 500 pts to me for the learning experience.

PIX Config
sh run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name certifiedsecurityconsultants.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
<--- More --->
             
names
access-list inside_outbound_nat0_acl permit ip interface inside 192.168.0.0 255.254.0.0
access-list inside_outbound_nat0_acl permit ip interface inside 192.168.2.192 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.0.0 255.254.0.0
access-list outside_cryptomap_dyn_40 permit ip any 192.168.2.192 255.255.255.224
access-list outside_access_in permit icmp interface outside host 192.168.25.50
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 64.142.69.122 255.255.255.0
ip address inside 192.168.25.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn 192.168.2.200-192.168.2.210
pdm location 192.168.0.0 255.254.0.0 outside
pdm location 64.142.69.0 255.255.255.0 inside
pdm location 64.142.0.0 255.255.0.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
<--- More --->
             
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.25.50 192.168.25.1 dns netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.25.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.25.3 pix.bin
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
<--- More --->
             
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400
vpngroup csc address-pool vpn
vpngroup csc dns-server 208.201.224.11 208.201.224.33
vpngroup csc default-domain CERTIFIEDSECURITYCONSULTANTS.COM
vpngroup csc idle-time 1800
vpngroup csc password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.25.50-192.168.25.100 inside
dhcpd dns 208.201.224.11 208.201.224.33
dhcpd lease 3600
dhcpd ping_timeout 750
<--- More --->
             
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:04dd140b61d198aa5c5889cae7ac4365
: end

pixfirewall#


1720 router config
CSCR1#sh run
Building configuration...

Current configuration : 1090 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec

!
hostname CSCR1
!

!
memory-size iomem 25
no aaa new-model
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
 --More--         !
!
!
!
!
!
!
interface Ethernet0
 ip address 64.142.69.120 255.255.255.0
 full-duplex
 no cdp enable
!
interface Ethernet1
 no ip address
 shutdown
 half-duplex
 no cdp enable
!
interface FastEthernet0
 ip address 64.142.69.121 255.255.255.0
 speed auto
 full-duplex
 no cdp enable
 --More--         !
ip default-gateway 64.142.69.1
ip classless
ip route 64.0.0.0 255.0.0.0 64.142.69.0
ip route 64.0.0.0 255.0.0.0 64.142.69.1
ip route 192.168.1.0 255.255.255.0 64.142.69.122
no ip http server
no ip http secure-server
!
!
dialer-list 1 protocol ip permit
snmp-server community  RO
snmp-server community public RO
snmp-server enable traps tty
no cdp run
!
!
line con 0
line aux 0
line vty 0 4
 login
!
 --More--         !
end

CSCR1#
0
Comment
Question by:acicalla
  • 2
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 13954361
First thing you need is a default route statement on the 1721, not default-gateway command:
  no ip default-gateway 64.142.69.1
  ip route 0.0.0.0 0.0.0.0 64.142.69.1
 
Remove these. You never want to add static routes for directly connected networks..
no ip route 64.0.0.0 255.0.0.0 64.142.69.0
no ip route 64.0.0.0 255.0.0.0 64.142.69.1

Next problem is that you're trying to assign the same subnet to both the Ethernet 0 and Fastethernet 0 interfaces:
 
interface Ethernet0
 ip address 64.142.69.120 255.255.255.0
interface FastEthernet0                         |---- no can do, my friend...
 ip address 64.142.69.121 255.255.255.0

Personal opinion only here - take the 1700 out completely -- You simply don't need it with an internet feed from the ISP..
Keep the PIX config just like it is, but add this line:
  route outside 0.0.0.0 0.0.0.0 64.142.69.1


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13954373
Forgot something...

>Keep the PIX config just like it is, but add this line:
>  route outside 0.0.0.0 0.0.0.0 64.142.69.1

And, unplug the Internet feed from the 1720, power off the 1720, and plug the Internet feed directly into the PIX Eth0 outside interface..

0
 

Author Comment

by:acicalla
ID: 13955075
Sweet this is working, I have an addition question on adding back in a linksys router for wireless access but I will post that in another question to keep the database clean. Thanks for the help!!!
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month13 days, 13 hours left to enroll

755 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question