Subnetting and routing problems with 1721 routers and PIX506

We are implementing a PIX 506 into the network and also would like to subnet out the network to make things more efficient.  Currently the setup is:  ISP router ---- Cisco 1721 -- Catalyst 2950.  

The new implementation will be:  ISP router -- PIX506 --- Cisco 1721 --- Catalyst 2950.  

I have set up a test environment to build the network layout and to test it.  The test setup that I have is:

Cisco 1721 router (acting as ISP router)  --- PIX506 -- Cisco 1721 -- Catalyst 2950.
The wiring is as follows based on the test setup:
1. Serial 0/0 port is blank to signify ISP connection
2. Fasteth0/0 has a crossover cable to the Eth0 port on the PIX506
3. Patch cable from the Eth1 port on PIX506 to the Serial0/0 port (T1 CSU/DSU WIC card) on the second cisco 1721 router.
4. Patch cable from FastEth0/0 port of 2nd Cisco 1721 to switchport on Catalyst 2950.

Subnets are as follows:

1. 172.16.0.0    255.255.252.0
2. 172.16.4.0    255.255.252.0
3. 172.16.8.0    255.255.252.0
4. 172.16.12.0  255.255.255.192
5. 172.16.12.64 255.255.255.192
6. 172.16.12.192 255.255.255.192
7. 172.16.12.128 255.255.255.224
8. 172.16.13.0 255.255.255.252

This is the config from the 2nd (internal) Cisco 1721 router:

hostname router2                
!                        
!
memory-size iomem 20                    
ip subnet-zero              
!
!
ip dhcp excluded-address 172.16.0.1 172.16.0.20                                              
!
ip dhcp pool ticketoffice                        
   network 172.16.12.0 255.255.255.192                                      
   default-router 172.16.12.1                            
   dns-server 66.196.216.10                          
!
ip dhcp pool pointofsale                        
   network 172.16.12.64 255.255.255.192                                      
   default-router 172.16.12.65                              
   dns-server 66.196.216.10                          
!
ip dhcp pool stadium                    
   network 172.16.4.0 255.255.252.0                                  
   default-router 172.16.4.1                            
   dns-server 66.196.216.10                          
!
ip dhcp pool tenniscourts                        
   network 172.16.8.0 255.255.252.0                                  
   default-router 172.16.8.1                            
   dns-server 66.196.216.10                          
!
ip dhcp pool suites                  
   network 172.16.12.128 255.255.255.224                                        
   default-router 172.16.12.129                              
   dns-server 66.196.216.10                          
!
ip dhcp pool mainpool                    
   network 172.16.0.0 255.255.252.0                                  
   default-router 172.16.0.1                            
   dns-server 66.196.216.10                          
!
ip dhcp pool hospitality                        
   network 172.16.12.192 255.255.255.224                                        
   default-router 172.16.12.193                              
   dns-server 66.196.216.10                          
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0                        
 no ip address              
 speed auto          
 full-duplex            
!
interface FastEthernet0/0.1                          
 description VLAN1                  
 encapsulation dot1Q 1 native                            
 ip address 172.16.0.2 255.255.252.0                                    
!
interface FastEthernet0/0.2                          
 description Ticket office VLAN                              
 encapsulation dot1Q 2                      
 ip address 172.16.12.1 255.255.255.192                                      
!
interface FastEthernet0/0.3                          
 description Suites VLAN                        
 encapsulation dot1Q 3                      
 ip address 172.16.12.129 255.255.255.224                                        
!
interface FastEthernet0/0.4                          
 description Point of Sale VLAN                              
 encapsulation dot1Q 4                      
 ip address 172.16.12.65 255.255.255.192                                        
!
interface FastEthernet0/0.5                          
 description Stadium VLAN                        
 encapsulation dot1Q 5                      
 ip address 172.16.4.1 255.255.252.0                                    
!
interface FastEthernet0/0.6                          
 description Tennis Courts VLAN                              
 encapsulation dot1Q 6                      
 ip address 172.16.8.1 255.255.252.0                                    
!
interface FastEthernet0/0.7                          
 description Hospitality VLAN                            
 encapsulation dot1Q 7                      
 ip address 172.16.12.193 255.255.255.192                                        
!
interface Serial0/0                  
 ip address 172.16.13.2 255.255.255.252                                      
 shutdown        
!
ip classless            
ip route 0.0.0.0 0.0.0.0 172.16.13.1                                    
no ip http server                


Configuration file of the PIX 506:

PIX Version 6.3(3)                  
interface ethernet0 100full                          
interface ethernet1 100full                          
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password
passwd
hostname pix                    
domain-name side                    
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
names    
pager lines 24              
mtu outside 1500                
mtu inside 1500              
ip address outside xx.xxx.234.114 255.255.255.248                                                
ip address inside 172.16.13.1 255.255.255.252                                            
ip audit info action alarm                          
ip audit attack action alarm
pdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 xx.xxx.234.113 1
route inside 172.16.0.0 255.255.240.0 172.16.13.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:74c68b1a9aa985f6867b8c31bae1ad6f
: end


If I plug a workstation into the switch it will only assign an ip address from the admin vlan (vlan1) and I can't ping the gateway of 172.16.0.1.  If I plug the workstation into any port that is assigned a vlan (vlan2, vlan3, etc) it will give me an ip address.

I'm not sure at this point whether my configs are not right (high possibility) or if the serial card on the 2nd router won't work with the PIX and that's stopping everything, or because I don't have any access-lists in the configs yet.  

I appreciate anyone's help.


LVL 4
jplagensAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pjtemplinCommented:
What/where is 172.16.0.1?  I don't see that address anywhere in the configs (but I'm seeing "blue" at the moment).

I'd also recommend not using VLAN 1 for ANYTHING.  That VLAN should be reserved for management traffic whenever and wherever possible.
0
jplagensAuthor Commented:
I was going to use 172.16.0.1 for the PIX but that didn't work.  I changed the default-router on the mainpool dhcp pool to below:

ip dhcp pool mainpool                    
   network 172.16.0.0 255.255.252.0                                  
   default-router 172.16.0.2                            
   dns-server 66.196.216.10    


I can now ping all of the gateways.  However, if I plug the workstation into any port on the switch that is assigned a VLAN it won't issue the workstation an IP address for that subnet.  

This test environment is not hooked up to the Internet, but shouldn't I be able to ping the inside interface of the PIX at 172.16.13.1?
0
pjtemplinCommented:
Won't work - your 1721 and your PIX aren't connected.  You have 172.16.13.2/30 on a serial interface on the 1721, and 172.16.13.1/30 on your PIX which only has Ethernet-flavor interfaces.  You'll need to build another VLAN or develop some other interconnect to the PIX.

Once fixed, first try to ping the PIX (if it'll respond to pings...it's a firewall) from the router, then worry about pinging it from the workstations.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

jplagensAuthor Commented:
So it's because it has a serial interface card?  The main production router has a 10/100 card instead of a serial card.  Does it look like this config will work if the right card was in the  2nd cisco 1721 router?  This is only a test environment, I'm just trying to verify that this config will work to minimize the downtime in the production environment.  

How do the static routes look?  
0
pjtemplinCommented:
Look good to me.

I'm AR, so I'd change "ip route 0.0.0.0 0.0.0.0 172.16.13.1" to be "ip route 0.0.0.0 0.0.0.0 <interface> 172.16.13.1".  That way, if/when that interface goes down, the route goes away.  If you had some other route that covered 172.16.13.1, your default route would recursively resolve there.  That's not critical, just how I'd do it.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jplagensAuthor Commented:
Ok.  I really appreciate the help.  It always helps to have another set of eyes look over things.  I'll be implementing this late tonight.  I'll let you know how it goes.

once again, thanks for the help!!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.