Solved

Setup VPN using Cisco 837 router adn Pix 501 Firewall

Posted on 2006-06-11
29
794 Views
Last Modified: 2008-01-09
Hi
We have a small Windows 2000 server network.  Internet access is via ADSL.  ADSL Line is connected to Cisco 501 that in turn is connected to Pix Firewall for internet access.  I need to setup remote access for a 3 remote users to enable them to download files and get their email. Static IP addresses for router and mail server available. Not very familiar with Cisco.  Any solutions welcome.  Need assistance relatively quickly.
Thanks in advance
0
Comment
Question by:freshfordian
  • 15
  • 14
29 Comments
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16886819
Is the mail server located on the router or PIX side? The three remote users you are referring to, are they behind the router or the PIX side? You can either setup a site to site VPN connection between the Cisco 837 and PIX 501 to provide access to the resources, the VPN tunnel will remain up as long as traffic is passing across the tunnel. Or just configure the device where the mail server is to accept remote Cisco VPN client connection so they can just connect to it whenever they need to access their mails or whatever else they need to do and disconnect to the the VPN when they are done.
0
 
LVL 1

Author Comment

by:freshfordian
ID: 16887211
Hi stressedout2004,
Thank you for your reply.  The current configuration (primarily for internet access) is as follows:
Connectivity:

DSL Line -> Cisco 837 Ethernet ADSL Port (WAN has been assigned ISP's Static IP Address)
Cisco 837 Ethernet Port 1 -> PIX 501 Port 0 (Pix gets it's 'external' ip address from cisco via DHCP)
Pix 501 -> Mail Server and File Server via Ethernet Ports 1 and 2 respectively on PIX.)

Remote users therfore would need to pass through the 837 and 501 to collect mail and files. (This is probably not ideal but was necessary due to the offices being very busy at the time and a quick temporary fix was needed).
Any advice you can give me would be most welcome.  

Many Thanks in advance


 
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16888093
So basically, its the 837 that's getting a public IP address from the ISP and the PIX 501 gets a private IP from the 837 via DHCP for the external IP address. Correct?

If that is the case, we have two options depending on how your devices are configured:

1) If the 837 comes with the 3des feature set, then we can just configure the VPN on the 837 instead of the PIX 501 and just configure NAT and access-rules to allow the traffic.

2) Configure the 837 to do port forwarding on UDP 4500 and 500 and protocol 50 and then configure the PIX 501 for VPN

If you can post the sanitized configuration of both the 837 and the pix as well as the output of "show version" from both devices then I will be more than glad to give you the configuration that you need.

0
 
LVL 1

Author Comment

by:freshfordian
ID: 16892274
Hi

Thank you so much for your offer of help in this. I really appreciate it!!   How do I export the configs you will need ? Cna't be sure if the 837 comes with 3DES but it is only a couple of weeks old.

Thanks again  
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16894046
1) You can telnet into the 837 and the PIX 501 using your DOS command prompt or some third party software like SecureCRT:

e.g. C:\>telnet 192.168.1.1

where 192.168.1.1 is the internal IP of the 837 or PIX 501

2) Then once login, go to privilege mode by typing "enable" , you will be asked for a password. Either enter your password or just press enter if there's none configured. Once successfully logged on to privilege mode, the prompt will
change from > to #

e.g

 router> enable
  router#
 
pixfirewall> enable
pixfirewall#

3) Once in the privilege mode, just do "show run" and "show version" on each devices. As you do each command, just copy and paste them into a notepad or something.

If telnet is not enable on each devices, you have to console into it using hyperterminal.

http://www.cisco.com/en/US/products/hw/routers/ps380/products_installation_guide_chapter09186a008010e5ae.html#wp1065483

Once consoled in, the procedure is the same as #2 and #3 above.
0
 
LVL 1

Author Comment

by:freshfordian
ID: 16900632
Hi again

Sorry about delay on returning to you.  I'm following your advice now
Be in touch shortly

Bast regards
0
 
LVL 1

Author Comment

by:freshfordian
ID: 16901199
Hi again,

Please find the info you requested below.  Cisco 837 was restored to factory default:

PIX 501

SHOW VER (PIX)

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

pixfirewall up 7 mins 7 secs

Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 0016.46c6.ca36, irq 9
1: ethernet1: address is 0016.46c6.ca37, irq 10
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces:          2
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                10


SHOW RUN (PIX)

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name sfleng.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 213.94.190.194 213.94.190.236
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain sfleng.com
dhcpd auto_config outside
dhcpd enable inside
username admin password ThdoiQDQnZbu2AMK encrypted privilege 1
terminal width 80
Cryptochecksum:3dcfbf42ee74709a161825f6814caae8
: end

CISCO 835

SHOW VER

Cisco IOS Software, C837 Software (C837-K9O3Y6-M), Version 12.3(8)T11, RELEASE S
OFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 10-Aug-05 17:33 by dchih

ROM: System Bootstrap, Version 12.2(11r)YV3, RELEASE SOFTWARE (fc2)

yourname uptime is 4 minutes
System returned to ROM by reload
System image file is "flash:c837-k9o3y6-mz.123-8.T11.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
 --More--
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco C837 (MPC857DSL) processor (revision 0x600) with 58983K/6553K bytes of mem
ory.
Processor board ID FCZ0950133H (116674152), with hardware revision 041F
CPU rev number 7
1 Ethernet interface
4 FastEthernet interfaces
1 ATM interface
128K bytes of NVRAM.
16384K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)

Configuration register is 0x2102

SHOW RUN

Current configuration : 2155 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
 --More--
default-router 10.10.10.1
   lease 0 2
!
!
ip domain name yourdomain.com
ip ips po max-events 100
no ftp-server write-enable
!
!
username cisco privilege 15 secret 5 $1$5.sy$E96wRW9/96Ik.sbFwgm8K0
!
!
!
!
!
interface Ethernet0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$
 ip address 10.10.10.1 255.255.255.248
 hold-queue 100 out
!
interface ATM0
 no ip address
 shutdown
no atm ilmi-keepalive
 --More--
dsl operating-mode auto
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
ip classless
 --More--
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco".

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use
.
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use
.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end

Thanks again for yout help
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16902411
Ok, the 837 does not support the VPN feature we are looking for so we have to revert to option 2. That is configuring the PIX as the VPN server and doing PAT or NAT on the 837. I will give you the configuration you need on the PIX when I get back, I just need to run some errands. Meanwhile, can you tell me how many public IP address do you have?
0
 
LVL 1

Author Comment

by:freshfordian
ID: 16903246
Hi again
There are two WAN addresses.  Please let me know if you need them


0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16903523
No that's all right, I will just use a rogue IP then just substitue the real IP when you implement the change. Now with the configuration that I will give you, we need to switch the PIX from DHCP to static, now in relation to this, I need to know what the default gateway is of the other PCs in the network aside from the mail and file server which I assumed both has the PIX as its gateway and how they are assigned an IP address. The reason I need clarification is because depending on how your network is laid out, running dhcp server on the IOS is not ideal if you only have the PIX as a client. I need to know whether there is other dhcp client in the network other than the PIX itself.
0
 
LVL 1

Author Comment

by:freshfordian
ID: 16903780
Yes!

The File server acts as the DHCP server for the LAN.  The Mail Server has 2 NICS - one for the LAN - the other for the WAN (it is connected to the PIX).  This NIC gets its address from the PIX via the PIX's own dhcp server.  It is the only device connected to the PIX (besides the 837 of course).  Routing and Remote access is enabled on the mail server so in essence, the mail server acts as the gateway for the LAN.  Is this ok?
0
 
LVL 1

Author Comment

by:freshfordian
ID: 16903952
There is a second NIc in the File Server also.  Icould connect this NIC to the PIX as well and enable RRAS on the file server.  This would mean that both the file server and mail server would be connected to the PIX.  Would this help do you think?
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16904723
>>>Routing and Remote access is enabled on the mail server so in essence, the mail server acts as the gateway for the LAN.  Is this ok?

It is ok, but I don't see why you need to have two NIC on either the mail or the file server. In my opinion, it just complicates things a bit and its not even necessary to do so. Unless you can tell me if there is any specific reason why it was setup this way.

You can just have this setup:

-------internal network ------PIX -----crossover cable---837---internet

The internal LAN including the mail and file server will all have its gateway as the PIX and provides you the security that you need while the 837 does the NAT.

Can you tell me what the IPs are that is assigned on the two NIC of the mail server, and if the 837 is reset to factory default, how are you getting internet right now? Or is it back to normal config at this time?

             
0
 
LVL 1

Author Comment

by:freshfordian
ID: 16905093
Hi

Thank you for your advice.  I'll stick to your model - with the pix as the gateway.  There is no need for the 2nd NICs.  This scenarion kind of 'evolved'.  
The IP address on the mail server NIC1 = 192.168.173.254 (LAN) and 192.168.1.4 (Dynamic IP provided by PIX - This will probably be irrelevant in your model).
The File Server IP (LAN) is 192.168.173.1
I've reconfigured the 837.  It's accessible via console but it's not connected to the internet as it is offsite. DHCP is functional on the 837.    I will be taking the units back to site tomorrow.  The WAN IP of the 837 is set to auto.  This was advised by the ISP.  I have all the PPPoE connection settings.  

The running-config for the 837 is now:

!This is the running config of the router: 10.10.10.1
!----------------------------------------------------------------------------
!version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$/Nhq$K0zugYU1Z5C1PxJDy7WAh1
!
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 10.0.0.1 10.10.10.9
ip dhcp excluded-address 10.10.10.101 10.255.255.254
!
ip dhcp pool sdm-pool1
   network 10.0.0.0 255.0.0.0
   domain-name sfleng.com
   dns-server 194.125.2.240 194.125.2.241
   default-router 10.10.10.1
!
!
ip domain name sfleng.com
ip name-server 194.125.2.240
ip name-server 194.125.2.241
ip ips po max-events 100
no ftp-server write-enable
!
!
username admin privilege 15 password 0 sfl1*pass
!
!
!
!
!
interface Ethernet0
 ip address 10.10.10.1 255.0.0.0
 hold-queue 100 out
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
ip classless
ip http server
ip http authentication local
ip http secure-server
!
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end


I hope this is useful to you.  Please let me know if you need further info.

With thanks & Best Regards
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 9

Expert Comment

by:stressedout2004
ID: 16905868
Ok, here is what we will do.

1) Eliminate 2nd NIC card on mail server. Keep the LAN NIC with IP of 192.168.173.254. Server's shouldn't get dynamic IP, they need to be static. We then need to change the default gateway of the LAN NIC to the PIX inside interface. The same thing has to be done on the File server.
2) Disable DHCP on file server.
3) Configure PIX to do DHCP and VPN. Also create rules that will allow access to mail from the internet.  We will need
to change the IP address of the PIX inside IP to be on the 192.168.173.x network and change the outside IP to static IP.
4) Configure the 837 to do NAT and disable DHCP.

Below is the configuration on the PIX. Just access the PIX via console or telnet then go to configuration mode and copy and paste the commands below in order that they appear. To go into configuration mode, once you are in the PIX under privilege mode (pixfirewall#), just type in "config t". e.g (pixfirewall# config t). The prompt will then change to pixfirewall(config)#.

no dhcpd enable inside
no dhcpd address 192.168.1.2-192.168.1.33 inside

ip address outside 10.10.10.2 255.255.255.248
ip address inside 192.168.173.253 255.255.255.0
route outside 0.0.0.0 0.0.0.0 10.10.10.1

dhcpd address 192.168.173.128-192.168.173.169 inside
dhcpd dns 213.94.190.194 213.94.190.236
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain sfleng.com
dhcpd enable inside

access-list acl_out permit tcp any host 10.10.10.254 eq smtp
access-list acl_out permit tcp any host 10.10.10.254 eq pop3

access-list nonat_acl permit ip 192.168.173.0 255.255.255.0 172.100.10.0 255.255.255.0
access-list split_acl permit ip 192.168.173.0 255.255.255.0 172.100.10.0 255.255.255.0

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside) 0 access-list nonat_acl

static (inside, outside) 10.10.10.254 192.168.173.254 netmask 255.255.255.255

access-group acl_out in interface outside

ip local pool vpnpool 172.100.10.1-172.100.10.50

sysopt connection permit-ipsec
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set 3DES
crypto map vpn_access 10 ipsec-isakmp dynamic dynmap
crypto map vpn_access interface outside

isakmp enable outside
isakmp identity address
isakmp nat-t

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

vpngroup remote_access address-pool vpnpool
vpngroup remote_access split-tunnel split_acl
vpngroup remote_access idle-time 1800
vpngroup remote_access password test123

I will send the necessary config for the 837 on my next post shortly.

0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16908758
The following is the configuration needed for the 837. This is just the NAT config, you will still need to setup dialer0 or the ATM subinterface on the 837  and configure the default gateway depending on what kind of connection your ISP gives you.

no ip dhcp pool sdm-pool1
no ip dhcp excluded-address 10.0.0.1 10.10.10.9
no ip dhcp excluded-address 10.10.10.101 10.255.255.254

access-list 120 permit ip 10.10.10.0 0 0.0.0.7 any
ip nat inside source list 120 interface Dialer0 overload
ip nat inside source static esp 10.10.10.2 interface Dialer0
ip nat inside source static udp 10.10.10.2 500 interface Dialer0 500
ip nat inside source static udp 10.10.10.2 4500 interface Dialer0 4500
ip nat inside source static 10.10.10.254 1.1.1.1

interface Dialer0
ip nat outside

interface Ethernet0
ip nat inside
0
 
LVL 1

Author Comment

by:freshfordian
ID: 16909529
Hi again
Thanks for the config:  just a couple of questions

PIX CONF
1.  I want to avoid stopping dhcp on file server.  The factory is quite busy at present and I cannot disrupt workflow.  I can exclude the list of IP addresses you mention in the config (dhcpd address 192.168.173.128-192.168.173.169 inside).  This would make them available to remote clients.  Is this ok?

2. In the following lines
    access-list nonat_acl permit ip 192.168.173.0 255.255.255.0 172.100.10.0 255.255.255.0
access-list split_acl permit ip 192.168.173.0 255.255.255.0 172.100.10.0 255.255.255.0

The subnet mask for 192.169.173.0 is given as 255.255.255.0.  Our mask is 255.255.0.0.  Should I change these lines?

3. When I copy the script to the console I get the following message appearing - almost after every line
  " % Invalid input detected at '^' marker."  ANy suggestions?

Many thanks again
0
 
LVL 1

Author Comment

by:freshfordian
ID: 16909551
We also use the SDM on the PIX and 837 for netowrk info.  These conf changes won't disable this?
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16911070
1.  I want to avoid stopping dhcp on file server.  The factory is quite busy at present and I cannot disrupt workflow.  I can exclude the list of IP addresses you mention in the config (dhcpd address 192.168.173.128-192.168.173.169 inside).  This would make them available to remote clients.  Is this ok?

>>>>Yes, definitely. Once this is all setup, just change the default gateway option on the dhcp server to point to the PIX. Also you don't need to exclude the range 192.168.173.128-192.168.173.169, however just make sure you exclude the IP that will be assigned to the inside interface of the PIX firewall. You can change the IP of the PIX interfaces as you like, just make the necessary modifications.

2. In the following lines
access-list nonat_acl permit ip 192.168.173.0 255.255.255.0 172.100.10.0 255.255.255.0
access-list split_acl permit ip 192.168.173.0 255.255.255.0 172.100.10.0 255.255.255.0
The subnet mask for 192.169.173.0 is given as 255.255.255.0.  Our mask is 255.255.0.0.  Should I change these lines?

>>>Yes, change it to:

access-list nonat_acl permit ip 192.168.0.0 255.255.0.0 172.100.10.0 255.255.255.0
access-list split_acl permit ip 192.168.0.0 255.255.0.0 172.100.10.0 255.255.255.0

Also don't forget to change the subnet mask of the PIX inside interface to:

ip address inside 192.168.173.253 255.255.0.0

3. When I copy the script to the console I get the following message appearing - almost after every line
  " % Invalid input detected at '^' marker."  ANy suggestions?

>>>Copy and pasting to a console can be quite cumbersome. Are you using windows built in hyperterminal?
Try copy and pasting it line by line instead of copying and pasting it all together.

4. We also use the SDM on the PIX and 837 for netowrk info.  These conf changes won't disable this?

For the PIX, once you change the IP of the inside interface you will lose the PDM access. However, all you need
to do is add the following command and you are all set.

http 192.168.0.0 255.255.0.0 inside

For the router, you don't have to add anything. Just make sure you are using the correct IP address.







0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16911113
Here's the new configuration changes require:

For the PIX:

no dhcpd enable inside
no dhcpd address 192.168.1.2-192.168.1.33 inside

ip address outside 10.10.10.2 255.255.255.0
ip address inside 192.168.173.253 255.255.0.0
route outside 0.0.0.0 0.0.0.0 10.10.10.1

access-list acl_out permit tcp any host 10.10.10.254 eq smtp
access-list acl_out permit tcp any host 10.10.10.254 eq pop3

access-list nonat_acl permit ip 192.168.0.0 255.255.0.0 172.100.10.0 255.255.255.0
access-list split_acl permit ip 192.168.0.0 255.255.0.0 172.100.10.0 255.255.255.0

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside) 0 access-list nonat_acl

static (inside, outside) 10.10.10.254 192.168.173.254 netmask 255.255.255.255

access-group acl_out in interface outside

http 192.168.0.0 255.255.0.0 inside

ip local pool vpnpool 172.100.10.1-172.100.10.50

sysopt connection permit-ipsec
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set 3DES
crypto map vpn_access 10 ipsec-isakmp dynamic dynmap
crypto map vpn_access interface outside

isakmp enable outside
isakmp identity address
isakmp nat-t

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

vpngroup remote_access address-pool vpnpool
vpngroup remote_access split-tunnel split_acl
vpngroup remote_access idle-time 1800
vpngroup remote_access password test123

For the 837:

no ip dhcp pool sdm-pool1
no ip dhcp excluded-address 10.0.0.1 10.10.10.9
no ip dhcp excluded-address 10.10.10.101 10.255.255.254

access-list 120 permit ip 10.10.10.0 0 0.0.0.255 any
ip nat inside source list 120 interface Dialer0 overload
ip nat inside source static esp 10.10.10.2 interface Dialer0
ip nat inside source static udp 10.10.10.2 500 interface Dialer0 500
ip nat inside source static udp 10.10.10.2 4500 interface Dialer0 4500
ip nat inside source static 10.10.10.254 1.1.1.1

interface Dialer0
ip nat outside

interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16911132
Also, if you continue to have difficult time copying and pasting commands and you are using hyperterminal. Try downloading the 30 day evaluation of SecureCRT and use that instead.
0
 
LVL 1

Author Comment

by:freshfordian
ID: 16920169
Hi

I've started with the router 837 config - one line at a time.  The new running-config is below.  Please note that i get the following error as follows:

Router(config)#interface Dialer0
Router(config-if)#ip nat outside
%NAT: Error activating CNBAR on the interface Dialer0
Router(config-if)#^Z
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface Ethernet0
Router(config-if)#ip nat inside
%NAT: Error activating CNBAR on the interface Ethernet0

This is probably due to the fact that Dialer0 is not connected to internet?  If so, will I need to enter the ip interface lines again (when connected to internet).

I'll start on PIX next and let you know how it's going.

Thanks again

Router#show run
Building configuration...

Current configuration : 1764 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$iqbM$POzrxwl7vxK.aJVSw7kT1.
enable password efx98al
!
no aaa new-model
ip subnet-zero
!
!
ip domain name sfleng.com
ip name-server 194.125.2.240
ip name-server 194.125.2.241
ip ips po max-events 100
no ftp-server write-enable
!
!
username admin privilege 15 password 0 sfl1*pass
!
!
!
!
!
interface Ethernet0
 ip address 10.10.10.1 255.0.0.0
 ip nat inside
 ip virtual-reassembly
 hold-queue 100 out
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface FastEthernet1
 no ip address
 speed auto
 half-duplex
!
interface FastEthernet2
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Dialer0
 no ip address
 ip nat outside
 ip virtual-reassembly
!        
ip classless
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 120 interface Dialer0 overload
ip nat inside source static udp 10.10.10.2 4500 interface Dialer0 4500
ip nat inside source static udp 10.10.10.2 500 interface Dialer0 500
ip nat inside source static esp 10.10.10.2 interface Dialer0
ip nat inside source static 10.10.10.254 1.1.1.1
!
!
access-list 120 permit ip 10.10.10.0 0.0.0.7 any
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 password efx98al
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end
0
 
LVL 1

Author Comment

by:freshfordian
ID: 16920467
Hi
Forgot to mention it!  I do much feeoling around wtih the 837 yesterday that I had to reload before carrying out the steps above.  The Ip address of the 837 is 10.10.10.1 subnet 255.0.0.0.  Can't remember what the initial subnet was.  I've checked the running-config abive at is seems to be the same as Ive got now.  This does not affect your PIX conf?

0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16921332
Yes, the subnet of 255.0.0.0 is unnecessary as you only have the PIX and the router connected to each other. You need to make the following adjustments on the 837:

interface Ethernet0
 ip address 10.10.10.1 255.255.255.0
 exit

no ip nat inside source list 120 interface Dialer0 overload
no access-list 120 permit ip 10.10.10.0 0.0.0.7 any
access-list 120 permit ip 10.10.10.0 0.0.0.255 any
ip nat inside source list 120 interface Dialer0 overload

As for the error, don't worry about it. It has something to do with a bug on the IOS. It shouldn't affect anything.



0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16921357
It really doesn't matter what subnet mask you used. But it is important that both PIX and router has the same subnet mask because if not, we may run into some communication issues. So really it is up to you what subnet mask you used but I would recommend 255.255.255.0 not 255.0.0.0.
0
 
LVL 1

Author Comment

by:freshfordian
ID: 16921504
Hi

Thank you for your comment.  I pre-empted you a little.  I left the 837's subnet mask alone and changed
the subnet mask for the outside address to 255.0.0.0.  I then refreshed the screen in the SDM and the outside interface came up!! Great!  The inside interface is now 192.168.173.253.  That's up also.
I entered of of the remaining configuration via secureCRT - no error messages!  I saved the config using 'write term. command. ( this is ok yes?).  The show run on the pix is shown below.  
Regarding the modified conf for the 837 above, should I ignore the interface commands now and run the remaining four lines?
Thanks again

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name sfleng.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
access-list acl_out permit tcp any host 10.10.10.254 eq smtp
access-list acl_out permit tcp any host 10.10.10.254 eq pop3
access-list nonat_acl permit ip 192.168.0.0 255.255.0.0 172.100.10.0 255.255.255.0
access-list split_acl permit ip 192.168.0.0 255.255.0.0 172.100.10.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 10.10.10.2 255.0.0.0
ip address inside 192.168.173.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 172.100.10.1-172.100.10.50
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.10.10.254 192.168.173.254 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.173.0 255.255.255.0 inside
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set 3DES
crypto map vpn_access 10 ipsec-isakmp dynamic dynmap
crypto map vpn_access interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup remote_access address-pool vpnpool
vpngroup remote_access split-tunnel split_acl
vpngroup remote_access idle-time 1800
vpngroup remote_access password ********
telnet 192.168.173.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.173.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 213.94.190.194 213.94.190.236
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain sfleng.com
dhcpd auto_config outside
username admin password ThdoiQDQnZbu2AMK encrypted privilege 1
terminal width 80
Cryptochecksum:35c0679373f98d97af4ca529c783d26d
: end
pixfirewall#

0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16924822
The command "write term" does not save the configuratio to flash. It just displays the current configuration. To save the configuration on the PIX, you have to do "wr mem".

The PIX configuration is all set. We only need to deal with the 837.

Since you insist on using the 255.0.0.0 subnet mask, we have to change the NAT statement into the following:

no ip nat inside source list 120 interface Dialer0 overload
no access-list 120 permit ip 10.10.10.0 0.0.0.7 any
access-list 120 permit ip 10.0.0.0 0.255.255.255 any
ip nat inside source list 120 interface Dialer0 overload

So just copy and paste the above command. Also regarding this line "ip nat inside source static 10.10.10.254 1.1.1.1" You have to replace 1.1.1.1 with the actual public IP that will be assigned  to the mail server. The IP 1.1.1.1 is just an example. So to replace the line just do:

no ip nat inside source static 10.10.10.254 1.1.1.1

Then just re-enter the same command with the correct ip.

ip nat inside source static 10.10.10.254 x.x.x.x


0
 
LVL 1

Author Comment

by:freshfordian
ID: 16935463
Hi
I've carried out your instructions.  Thank you for your assistance AND patience!!
I will deploy the router and pix tomorrow and setup PPPoE. I'll let you know how it operates.
Can I ask you if Cisco VPN client software is a requirement or is Windows VPN ok?  Finally can you recommend a good network / router simulation program where devices can be added and configured virtually?

Thanks again
0
 
LVL 9

Accepted Solution

by:
stressedout2004 earned 500 total points
ID: 16936184
Yes it is a requirement. The PIX is setup for Cisco VPN client as it works a lot better compare to Windows VPN. You should have no problem getting a copy of the Cisco VPN client specially if you purchase the PIX with a 3des license. You can also get it from Cisco if you have a smartnet contract.

For the router simulator, I have tried the Boson NetSim for CCNP. You can design your own network using the routers and switches they have and load it into the simulator and from there configure it. There's a free demo that you can download.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now