Solved

Need CISCO Guru to help configure new network from scratch! (step-by-step, idiot-proof)

Posted on 2006-06-21
123
6,777 Views
Last Modified: 2013-12-14

CALLING ALL LIFE SAVERS! :)

Please prove to me that a higher power exists & help save my butt!  I thought I could walk on water but CISCO.... ouch drowning here!

I have been tasked with setting up a completely new network at a new office space with equipment I have never touched in my life!  I am hoping that I can get some guidance on setting this up correctly from you guys.  This is worth 5000 points but unfortunately I can only grant 500 to whomever can help and/or point me in the right direction.  I'm a fairly good systems admin but no experience with CISCO stuff :(

O.k., so here's the setup.

Small office - about 20 users.

1 Verizon T-1 Line coming in with the following (made up) IP info:
LAN      140.155.64.16/28 (16 IPs, 13 usable)
WAN     65.160.89.137 (Verizon side)
             66.160.89.138 (customer side) subnet mask: 255.255.255.252
 
DNS     151.202.0.84 & 151.202.0.85  

Will be connected to ADTRAN 1200295L1 TSU ACE T1 FT1 DSU/CSU NX56 OR NX64 1.536 MBPS D4(SF) OR ESF (1200295L1).  This is an external CSU/DSU unit.

I will have to try to figure out how to configure this CSU/DSU unit as I have never configured one in my life.  

I also have a CISCO 871 router and a CISCO PIX 506E firewall.  This is where I am completely confused.  Should the CSU/DSU be plugged into the router and then into the PIX firewall?  Or should it be the other way around?  

I need someone to clear this up for me.  I have no clue how to go about setting any of these devices up.  

The general idea for the setup is for the PIX (or the router) to be plugged into a network switch.  I need either the router or the pix to have DHCP enabled for a set of 5 IPs, 10.0.0.1 thru 10.0.0.5.  

The LAN will be set up with the 10.0.0.x subnet.  A standalone DHCP server with an IP of 10.0.0.10 will assign IPs to all local workstations.

I will have to allow 10 clients to establish VPN connectivity to the network.  I have to be able to control UDP & TCP ports through ACL's on the PIX (but clueless as to how it's done).  

I am thinking that since the CISCO 871 router does not act as a CSU/DSU, should it be disconnected and returned to the vendor altogether?  What is the purpose of having a CISCO 871 and a PIX 506E firewall running together in a small business?  Advantages/disadvantages?  

As you can see I am completely lost and in need of clear step by step instructions on running the IOS on both of the devices with commands (or is there a GUI that'll allow me to configure all of this?) or an immediate CISCO fundamentals boot camp because I'm due to set this whole thing up on Monday which is coming up in 4 days.  I am really hoping for a more realistic option #1.  I may also be able to pay a couple of hundred bucks to anyone who will be able to virtually walk me through setting everything up.  I promise to provide clear answers to all of your questions.  
0
Comment
Question by:taki1gostek
  • 77
  • 46
123 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 16955820
OK - -
Adtran TSU should come factory default to support a full T1 B8ZS/EFS right out of the box. If your line is anything else, then you'll have to adjust from there.
Adtran TSU should have a v.35 port on it for data.
v.35 port plugs into a Serial port on the router.
Router's LAN/Ethernet port plugs x-connect to the PIX WAN (port 0) port
PIX inside (port 1) connects to lan switch
All internal hosts plug into the lan switch

On the 871 - you're screwed buddy. It does not have a serial WAN interface, only a 10/100 Ethernet. You can scrap both the 871 and the Adtran unit and replace with a 1841 T1 bundle. It has a modular WIC TSU on board. Much simpler setup.

T1 plugs into 1841 WIC interface (Rj45)
Fast 0/0 plugs into PIX outside

The PIX does, in fact, have a GUI, but you first have to run the setup from the console before you can use it.
The 1841 also comes with a SDM GUI, but I'm not fond of it. I can configure one in just a few minutes by hand but there are some neat features of it. Fun to play with.
Here's a quick-start guide for the PIX 506 to peruse
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63qsg/506quick.pdf

There is no purpose in having both a 871 and a PIX. I would say it is either/or, but my preference would be PIX. In your case you have a T1 feed which the PIX will not take so you need a router+DSU to handle the different encapsulation/technologies between T1 and Ethernet.

Let me know what more information I can provide.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16975511
Hello??
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16975566
I'm sorry for my delay in responding.  Had a bad car accident, car totalled, wife pregnant but the baby's o.k. :)

I took your advice to heart and got an 1841 w/DSU/CSU WIC card router.

Having trouble right now getting the PIX 506E firewall to turn on DHCP so that I can use the PDM web-based utility to configure it...  Going to go out and get a book on Pix for dummies or something.  The project's on Monday, it's Saturday and I have a 4 hour drive to NYC.  

Please call me (212) 945-8461 if you think you'll be able to help walk me through a couple of things on the PIX and the Router.

Thanks again!

I will be waiting for your quick response and/or call.

My apologies again for not responding sooner.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16975599
lrmoore,

I can't get the DHCP to turn on on the PIX 506E!  Please help.  I would like to use the PDM to configure it.

Here's the info I have:
pixfirewall(config)# show ip
System IP Addresses:
        no ip address outside
        ip address inside 192.168.1.1 255.255.255.0
Current IP Addresses:
        no ip address outside
        ip address inside 192.168.1.1 255.255.255.0

pixfirewall(config)# show dhcpd
dhcpd address 192.168.1.2-192.168.1.5 inside
dhcpd dns 192.168.1.1 192.168.1.6
dhcpd lease 3000
dhcpd ping_timeout 750
dhcpd enable inside
pixfirewall(config)#

what's wrong with this config?  

In other words the way I'm looking at it is if I connect ethernet 1 on the pix directly to my PC, the PC should obtain a DHCP IP address from the pool 192.168.1.2-192.168.1.5, should receive DNS info 192.168.1.1 192.168.1.6.  When I plug into my PC though I'm getting the message that the cable is unplugged.

I am hoping that once my PC receives an IP from the firewall (by temporarily turning on DHCP on it), I could theoretically go to IE, type in 192.168.1.1 (the inside [ethernet 1] address) to access PDM and its wizards.  Am I correct?

0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16975600
Perhaps I should be using a cross-over wire instead of a straight-through CAT5?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16975626
Bad news/good news, eh?
Car accident - bad!
Wife and baby OK - good!

Did you read the quick-start guide for the PIX? Link is in my original post. It is quite detailed and should help you out.

We need to keep everything in this forum  that we can. Just post here with specific questions and I'll give you detailed information as I can.
I can probably give you some good cut/paste configs with some detail.
Are you familiar with pasting configs into Cisco product? Same procedure with router and PIX:
Select/copy the text
In hypterterm (to console port via serial):
Router>enable
Username:cisco <== defaults on the 1841
Password:cisco
Router#config term
Router(config)# <right-click, Paste to Host>
Watch the magic.

Pixfirewall>enable
Password: <enter>  <== no password by default
Pixfirewall#config term
Pixfirewall(config)# <right-click, Paste to Host>

Done.

I'll post a basic 1841 config here in a few and follow with a PIX config.

I'll be in-out throughout the weekend, but will keep checking back.


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16975665
Cisco 1841 router config. We can change the enable password later..
\\-- begin  [copy everything between this line and \\-- end]

!
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname C1841
!
clock timezone est -5
clock summer-time edt recurring
ip subnet-zero
!
ip cef
!
!
enable secret cisco
!
!
!
!
interface FastEthernet0/0
 ip address 140.155.64.16 255.255.255.240
 no shut
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address 65.160.89.138 255.255.255.252
!
ip classless
!
!
ip route 0.0.0.0 0.0.0.0 65.160.89.137
!
ntp server 128.59.16.20 prefer
!
no banner login
!
end
!
write mem


\\-- end  - (make sure you copy the carraige returns at the end below write mem)

The config changes are immediate and the "write mem" at the end saves the config
After you pop this config in, we need to change the password:
C1841>enable
Password:cisco
C1841#config t
C1841(config)#enable secret <newpassword> <== put your own good password in here
C1841(config)#end
C1841#write mem
[OK]

Isn't this easy?

C1841
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16975668
>Perhaps I should be using a cross-over wire instead of a straight-through CAT5?
Direct from PC to PIX? Yes, crossover cable
Suggest you use a switch/hub in between with straight cables.


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16975677
>   ip address inside 192.168.1.1 255.255.255.0
Are you sure you want to use this default IP addressing scheme? I HIGHLY recommend NOT using it due to the fact that you want to enable remote VPN users. Far too many home/remote users have the exact same LAN ip subnet and you will have no end to "issues" with users if you don't decide right up front to use something else.
Suggest something like 192.168.109.0 / 255.2552.55.0 for the internal LAN

0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16975685
Let's do it.  I just wanted to temporarily assign that subnet.

Now, if I imagine this correctly, the proper setup is

Internet-->CSU/DSU (Router)--> Pix --> Switch
correct?

I only have one console cable and it's currently plugged into the Firewall.  Let's configure the PIX first.  I guess I won't have to use PDM if I can get your help.

I will first need to clear all settings back to factory defaults.

Do i do this by typing configure factory-default command?
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16975690
Should I turn the PIX off and plug the router in for the meantime?  You tell me.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16975695
That's what I'll do, I will configure the router first according to your instructions.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16975704
>The LAN will be set up with the 10.0.0.x subnet
Sorry, just re-read the original post...
Same goes with this subnet. It's just as bad a choice as 192.168.1.0
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16975726
I guess I should give you correct IP info now:

LAN      141.155.64.16/28 (16 IPs, 13 usable)
WAN     68.160.89.137 (Verizon side)
             68.160.89.138 (customer side) subnet mask: 255.255.255.252
 
DNS     151.202.0.84 & 151.202.0.85  

This will change some of the copy & paste text.  For example, the line interface FastEthernet0/0
 ip address 141.155.64.16 255.255.255.240, why is .240 the subnet mask?  


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16975733
Looks like we're cross-posting...
Yes - setup =
Internet T1 --Rj45-> CSU/DSU WIC
                                  Ethernet0/0 (top one, I think) -- Xover cat5-->PIX Eth0 (outside)
                                                                                                     PIX Eth1 (inside) --> switch

Clear the PIX config:
pixfirewall(config)#write erase
Confirm yes,
reboot the pix.

\\-- BASE config begin

interface ethernet0 auto
interface ethernet1 auto
enable password cisco
passwd cisco
hostname PIX506
clock timezone EST -5
clock summer-time EDT recurring

logging on
logging timestamp
logging buffered informational

ip address outside 140.155.64.18 255.255.255.240

ip address inside 192.168.109.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 140.155.64.17

dhcpd address 192.168.109.100-192.168.109.254 inside
dhcpd dns 151.202.0.84 151.202.0.85  
dhcpd enable inside
global (outside) 10 interface
nat (inside) 10 0 0 0
ip local pool VPNPOOL 192.168.123.200-192.168.123.254

access-list outside_in permit icmp any any

ntp server 192.5.41.41 source outside prefer
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.109.0 255.255.255.0 inside

sysopt connect permit-ipsec

isakmp identity address
isakmp nat-traversal 20

\\-- END

We'll finish up the VPN config later...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16975741
>LAN      141.155.64.16/28 (16 IPs, 13 usable)

>ip address 141.155.64.16 255.255.255.240
typo in my post:

   ip address 141.155.64.16 255.255.255.240
Should be:
   ip address 141.155.64.17 255.255.255.240

.16 is the network ID
.17 is the 1st useable IP
.17 is the default gatewy of the above PIX config

why .24 mask?
/28 = .240 mask
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16975749
Yes we are and it's my fault.  I should have stayed with your posts & plugged the router in, in the first place.  Let's do the router first as you had originally requested.

I was able to successfully cut & paste into host the following (with some IP address changes, as per my last post):

\\-- begin  [copy everything between this line and \\-- end]
!
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname C1841
!
clock timezone est -5
clock summer-time edt recurring
ip subnet-zero
!
ip cef
!
!
enable secret cisco
!
!
!
!
interface FastEthernet0/0
 ip address 141.155.64.16 255.255.255.240
 no shut
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address 68.160.89.137 255.255.255.252
!
ip classless
!
!
ip route 0.0.0.0 0.0.0.0 68.160.89.137
!
ntp server 128.59.16.20 prefer
!
no banner login
!
end
!
write mem


\\-- end  - (make sure you copy the carraige returns at the end below write mem)

I also assigned a password to the router.  What do we do next on the router?  I think we should verify that all changes took & all looks good.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16975758
C1841#show config
To verify....
Per my last post, I think we may have an issue with the IP address on the FastEthernet0/0 interface
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16975774
I THINK I GOT THE CONFIG INFO RIGHT THIS TIME:


Using 1264 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname C1841
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Ozo3$vigftzP1mi0vaRwXgYz/Y1
!
no aaa new-model
!
resource policy
!
clock timezone est -5
clock summer-time edt recurring
mmi polling-interval 60
no mmi auto-configure
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
ip domain name yourdomain.com
!
username cisco privilege 15 secret 5 $1$ZMSn$9/qJDaP00Ox8L8pvUknNs/
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
 ip address 10.10.10.1 255.255.255.248
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address 68.160.89.137 255.255.255.252
 shutdown
!
ip classless
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
control-plane
!
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
ntp server 128.59.16.20 prefer
end

C1841#
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16975781
I had to select, copy & paste each page separately because of the <more> command.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16975788

Kinda hard to read, but just as I suspected:

interface FastEthernet0/0                        
 shutdown

C1841#config t
C1841(config)#interface fast 0/0
C1841(config-if)#ip address 141.155.64.17 255.255.255.240
C1841(config-if)#no shut
C1841(config-if)#end
C1841#write mem
[OK]
C1841#


\\\ BEGIN PIX VPN config

access-list no_nat permit ip 192.168.109.0 255.255.255.0 192.168.122.0 255.255.255.0
access-list VPN_splitTunnelAcl permit 192.168.109.0 255.255.255.0 192.168.122.0 255.255.255.0
access-list Outside_dynamic permit 192.168.109.0 255.255.255.0 192.168.122.0 255.255.255.0

nat (inside) 0 access-list no_nat

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3ds esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 match address Outside_dynamic
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400

vpngroup VPN3000 address-pool VPNPOOL
vpngroup VPN3000 split-tunnel VPN_splitTunnelAcl
vpngroup VPN3000 password ********

\\\ END VPN config
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16975795
>interface Serial0/0/0
 ip address 68.160.89.137 255.255.255.252
 shutdown

We need to get rid of the shutdown on this one, too...

C1841#config t
C1841(config)#interface serial 0/0/0
C1841(config-if)#no shut
C1841(config-if)#end
C1841#write mem
[OK]
C1841#
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16975798
So if the router now properly configured?  In other words, do I turn it off and just plug it in to the CSU/DSU and it'll work?
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16975803
done
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16975808
Let's see the whole config one more time...

With your blessing, I can edit out the garbage post above...
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16975809
Any way you can give me a little bit of a background on how VPN connectivity will work?  I.E. will I need to get the client to purchase VPN clients or will they be able to VPN directly from Windows using what I think is PPP authentication?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16975812
The PIX comes with a CD with the VPN client software. Easy install.
Else you can use the Microsoft PPTP client (not recommended)
The PIX will terminate either one, but the config I posted was for the Cisco client.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16975813
Please, edit it out.  Thanks.

Using 1256 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname C1841
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Ozo3$vigftzP1mi0vaRwXgYz/Y1
!
no aaa new-model
!
resource policy
!
clock timezone est -5
clock summer-time edt recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
ip domain name yourdomain.com
!
username cisco privilege 15 secret 5 $1$ZMSn$9/qJDaP00Ox8L8pvUknNs/
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
 ip address 141.55.64.17 255.255.255.240
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address 68.160.89.137 255.255.255.252
!
ip classless
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
control-plane
!
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
ntp server 128.59.16.20 prefer
end

C1841#
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16975815
Unfortunately the PIX had come in OEM, used or refurbished without any addtl software.  We'll just use MS's PPTP to authenticate.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16975823
Router config looks good!
It "should" be plug and play on Monday!
Some tips to troubleshoot if it does not come up right away:

C1841#show ip interface brief
Look for status up | up
C1841#show interface serial0/0/0
Look for status Line UP | Protocol UP
Look for errror counters

If Line is DOWN, then the ISP/Telco has not enabled the T1 and you must call their engineers to enable it.
Post results of those two commands here if you need a 3rd eye..
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16975832
>Unfortunately the PIX had come in OEM, used or refurbished without any addtl software
YUK!
Email me (look in my profile) and I'll see if I can get you a copy.
Too many problems using MS PPTP . . .
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16975837
Great!  Thanks!

I'm posting the show config command for the pix now:

: Written by enable_15 at 19:00:54.370 EST Thu Dec 31 1992
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX506
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit icmp any any
pager lines 24
logging on
logging timestamp
logging buffered informational
mtu outside 1500
mtu inside 1500
ip address outside 140.155.64.18 255.255.255.240
ip address inside 192.168.109.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL 192.168.123.200-192.168.123.254
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 140.155.64.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 192.5.41.41 source outside prefer
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.109.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
isakmp identity address
isakmp nat-traversal 20
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.109.100-192.168.109.254 inside
dhcpd dns 151.202.0.84 151.202.0.85
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:83a6ce7c605a01eba068ba2a220345b0
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16975853
THIS IS THE FIREWALL CONFIG AFTER I HAD APPLIED YOUR VPN SETTINGS INSTRUCTIONS.

: Written by enable_15 at 19:05:23.064 EST Thu Dec 31 1992
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX506
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit icmp any any
access-list no_nat permit ip 192.168.109.0 255.255.255.0 192.168.122.0 255.255.2
55.0
pager lines 24
logging on
logging timestamp
logging buffered informational
mtu outside 1500
mtu inside 1500
ip address outside 140.155.64.18 255.255.255.240
ip address inside 192.168.109.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL 192.168.123.200-192.168.123.254
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list no_nat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 140.155.64.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 192.5.41.41 source outside prefer
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.109.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup VPN3000 address-pool VPNPOOL
vpngroup VPN3000 idle-time 1800
vpngroup VPN3000 password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.109.100-192.168.109.254 inside
dhcpd dns 151.202.0.84 151.202.0.85
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:1177ae9c17787007a7db65ad592841e2
PIX506(config)#

0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16975864
How will the clients access VPN?  What username & password will they be using and how can that be assigned?

I will also need a secure way to remotely connect to and administer both the PIX and the router.  Any instructions on setting that up?

I swear I will learn CISCO.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16975923
>PIX Version 6.3(3)
YUK... buggy version....
Upgrade to 6.3(5) soonest

0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16975931
I know it may not have been the best idea to share my phone # on the post but if you could, please give me a buzz.  I have to get going.  I will pack up the 506E & 1841 and take it with me to NYC where I will continue the battle tonight and tomorrow so that it is truly ready & plug-n-play when I arrive at my client's site.

I'd like to thank you for what we've already (actually you) have accomplished and I have a summary of questions I'd like you to put together answers to if you can:

1. Passwords.  I would like to assign strong passwords to both the Router and the Firewall.  Please provide instructions.
2. I may end up having to eventually turn off DHCP services on the PIX because DHCP requests will very likely be processed by a Win2K3 server.
3. How do I work with or create Access Control Lists?  I will have 1 Unix box & a couple of Windows Servers that require specific ports to be forwarded to them.  I guess I'm asking how I'll have to go about configuring NAT so that Outside IP/Port is sent to an Internal IP & Port.
4. VPN.  I had sent you an e-mail from my address as you had requested.  What authentication type will the VPN clients use?  How do I create VPN users & their passwords?  Will users have the option to change their VPN passwords or will that require me to change settings on the firewall?
5. Are we done with the Router?  I.E. once this configuration is set will there be any circumastances short of changing the ISP that will require anyone to administer the Router?  What are the IP addresses that were assigned to the router & to the firewall?
6. How can I remotely administer the router & the pix?  Tetlnet, Secure telnet?  I will need a way to securely connect & configure the firewall.

I think that's about it.  I just got your e-mail.  Will follow instructions & post here before I leave.

Thanks again!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16975939
We're missing a few lines in the PIX config. - my fault....

copy paste the following:

access-list VPN_splitTunnelAcl permit ip 192.168.109.0 255.255.255.0 192.168.122.0 255.255.255.0
access-list Outside_dynamic permit ip 192.168.109.0 255.255.255.0 192.168.122.0 255.255.255.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 match address Outside_dynamic
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

vpngroup VPN3000 split-tunnel VPN_splitTunnelAcl
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16975962
Took care of it.

What am I doing wrong?  I guess I should be plugged into the pix firewall?  I'm plugged into a different network on my PC and console cable to the firewall.  Nothing else is connected.

I can hook the firewall up to a switch and hook my computer to Ethernet1 port.  Should I?

I guess i should be on the same subnet as the firewall in order for the TFTP client to work.

Then again, where should I download the two files?  I have them on my root drive C:


PIX506(config)# copy tftp://72.248.110.16/pix635.bin flash:
copying tftp://72.248.110.16/pix635.bin to flash:image
tftp: Timed out attempting to connect
Image not installed
PIX506(config)#
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16975985
I really have to run now.  If I leave now maybe i'll make it to NYC by 9PM, heard that there's lots of traffic because of the rain.

I will answer anything and everything as soon as I am in front of a PC in NYC.

Thanks again for all of your help!  I hope you'll be around tonight and tomorrow.

-taki
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16976067
>I guess i should be on the same subnet as the firewall in order for the TFTP client to work.
Yep...

Then again, where should I download the two files?  I have them on my root drive C:
That's OK as long as you set Pumpkin's filesystem root directory to C:\

0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16979347
I'm in NYC.  I got here a little bit after 10PM because it was pouring down all the way from mass through RI, CT and NY.  It was too late to hook up at my friend's and continue the battle.  Please let me know whether you're around today.  I was able to flash the pix & pdm with no problems!

I can't seem to be able to access PDM via 192.168.109.1 (the pix=gateway IP).

Where would I have to go to enable PDM?

I don't have a T-1 line to work with to test VPN connectivity and so any instructions on what needs to be done once the VPN client is installed along with answers to the questions I had previously asked will definitely be helpful.

The PIX firewall seems to be running very HOT even though it's not really processing anything...  The casis is very warm.  Think it could be a dead fan or could there be a different issue with that?

I will be checking my mail every 2-5 minutes to see if you're around.

Again, thanks a bunch for all of your assistance!  I'd like to pay you if you can accept a payment through pay pal for your time.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16979413
Glad you made it. I'm in and out. Just getting ready to do some grocery shopping and I'll be back in a couple of hours.

To access the pdm, be sure to use https://192.168.109.1  note the "s" in https

http server enable  <== enabled!
http 192.168.109.0 255.255.255.0 inside  <== as long as your PC has an IP in this range you should be good

>PIX firewall seems to be running very HOT
These puppies do tend to run pretty warm. Keep an eye on it..

Here's the user guide for the VPN client.
http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/4_6/ugwin/index.htm

The down and dirty:
Install the client
Create New entry
Connection Entry: Text string whatever you want
Description: Optional text string
Host: 140.155.64.18  ( IP address of PIX outside)
* Group Authentication
Name:  VPN3000
Password: < match = vpngroup VPN3000 password ********>
Confirm Password:
   [Save]
Select entry and click Connect.
Done!

How about posting a new question for each of your questions 1 through 6 above?
All I get here is points and the max for 1 Q is 500. By posting multiple questions, I can earn more points.
Post a link to the new Q's here...






0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16979450
Will do.  What is the VPN group password & how do I change it?

0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16979468
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16979485
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16979499
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16979568
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16979590
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16979697
What is the default username and password in order to configure the Pix using PDM?  

https://192.168.109.1
username: pixadmin (?)
password: ???

Tried cisco, admin, root, etc... Nothing has worked so far.  How can that password be changed or set in IOS?
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16979716
5. Are we done with the Router?  I.E. once this configuration is set will there be any circumastances short of changing the ISP that will require anyone to administer the Router?  What are the IP addresses that were assigned to the router & to the firewall?

Based on our current information exchange, is there any way you could put together a logical breakdown of how IP's are assigned to the router & the firewall?

How do I "take" public IPs from the range of IPs that's assigned to this network and assign it to specific hosts/servers?  I guess this will be covered in one of the ACL questions above.

Will you be around today to address all of the questions?

Thanks again for all your help!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16979994
>What is the VPN group password & how do I change it?
Right now I think it is literally *******

To change it:
PIX506(config)#vpngroup VPN3000 password MyNewPa$$w0rD

>What is the default username and password in order to configure the Pix using PDM?  
Username: pix
Password: <blank>
 Or
 Username: enable
 Password: cisco

Once you get into the GUI there is an easy way to setup local username/passwords and use them for HTTP authentication.

>Are we done with the Router?
I think so.

More to follow...


0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980036
 
>Username: pix
Password: <blank>
 Or
 Username: enable
 Password: cisco


PDM isn't taking either one of the logins

Tried pix, blank; enable, cisco; enable, blank; pixadmin, blank; blank, cisco

None of them work...
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980057
I'm using IE 6.0.29

Perhaps it's a browser issue?
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980065
VPN password is set.  
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16980066
Let's try this:

aaa authentication http console LOCAL
username taki1gostek password <yourpassword> privilege 15

Then use that username/password with the PDM
If that fails, you may need to update your Java SE on your laptop.
Try getting the latest J2SE 1.5 from
https://sdlc5a.sun.com/ECom/EComActionServlet;jsessionid=E953DB4ECEB3F3CAB8457F8565E9541F
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980072
It worked!  :)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16980082
IP Address documentation:

Router C1841
WAN IP Serial 0/0/0 = 68.160.89.137 255.255.255.252
LAN IP Fast 0/0 = 140.155.64.17 255.255.255.240

PIX506:
Outside (WAN) IP = 140.155.64.18 255.255.255.240
Inside (LAN) eth1 IP = 192.168.109.1 255.255.255.0

>>Are we done with the Router?
I just looked at your posted config again and we're missing the default route. Very important!

C1841(config)#ip route 0.0.0.0 0.0.0.0 68.160.89.138
C1841(config)#ene
C1841#write mem
[OK]
C1841#
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980110
figured out from PDM that the username was enable_15
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16980135
>figured out from PDM that the username was enable_15
D'OH!
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980174
How can we verify that both the router & firewall are configured right, that they're talking to one another etc... ?  Just worried about tomorrow...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16980286
If you have a crossover cable between the 1841 and the PIX outside, and your laptop on the inside....
Can you ping the 1841's LAN IP?
That's about the best test you can perform in your "lab" unless you have another router with T1 module and T1 crossover  . . .
Didn't think so  . . .

If you put the 1841 Ethernet and the PIX outside on a switch/hub and your laptop on the same switch with your laptop IP add 140.155.64.18 mask 255.255.255.240, you should be able to test the VPN client and make sure it connects..



0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 2

Author Comment

by:taki1gostek
ID: 16980391
I am not getting any responses from any of the below IPs when I try pinging from my laptop:

Router C1841
WAN IP Serial 0/0/0 = 68.160.89.137 255.255.255.252
LAN IP Fast 0/0 = 140.155.64.17 255.255.255.240

PIX506:
Outside (WAN) IP = 140.155.64.18 255.255.255.240
Inside (LAN) eth1 IP = 192.168.109.1 255.255.255.0
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16980400
From your laptop, post result of "C:\>route print"
From the PIX, post result of PIX506#show interface
From the 1841, post result of C1841#sho ip int brief
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980460
You will hate me but I'm staying at my Polish friend's house right now & he's using a Polish version of Windows XP on his desktop.

I guess I should tell you that I can ping the gateway (pix) just fine using 192.168.109.1.  All of the other IPs don't respond.

You should be able to decipher all of it though.

C:\>route print:

===========================================================================
Lista interfejs&#728;w
0x1 ........................... MS TCP Loopback interface
0x2 ...00 50 fc 9c 52 ba ...... Karta Realtek RTL8139 Family PCI Fast Ethernet NIC - Sterownik miniport Harmonogramu pakietów
===========================================================================
===========================================================================
Aktywne trasy:
Miejsce docelowe w sieci      Maska sieci      Brama      Interfejs      Metryka
          0.0.0.0          0.0.0.0    192.168.109.1  192.168.109.100        20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1        1
    192.168.109.0    255.255.255.0  192.168.109.100  192.168.109.100        20
  192.168.109.100  255.255.255.255        127.0.0.1       127.0.0.1        20
  192.168.109.255  255.255.255.255  192.168.109.100  192.168.109.100        20
        224.0.0.0        240.0.0.0  192.168.109.100  192.168.109.100        20
  255.255.255.255  255.255.255.255  192.168.109.100  192.168.109.100        1
Domy&#152;lna brama:    192.168.109.1.
===========================================================================
Trasy trwa&#136;e:
  Brak

PIX506E:


Hardware is i82559 ethernet, address is 000f.f79f.ad24
  IP address 140.155.64.18, subnet mask 255.255.255.240
  MTU 1500 bytes, BW 100000 Kbit full duplex
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        1327 packets output, 79620 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/0)
        output queue (curr/max blocks): hardware (0/2) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 000f.f79f.ad25
  IP address 192.168.109.1, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 100000 Kbit full duplex
        80 packets input, 12742 bytes, 0 no buffer
        Received 65 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        12 packets output, 2079 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
 input queue (curr/max blocks): hardware (128/128) software (0/1)
        output queue (curr/max blocks): hardware (0/1) software (0/1)

C1841#sho ip int brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
FastEthernet0/0            141.55.64.17    YES NVRAM  up                    up

FastEthernet0/1            unassigned      YES NVRAM  administratively down down

Serial0/0/0                68.160.89.137   YES NVRAM  down                  down

C1841#
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16980481
My fault, we need one more line in the PIX config:

PIX506(config)#access-group outside_in in interface outside

Now try the ping again...



0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980501
no good

tried pinging 140.155.64.17 and 68.160.89.137 with no success.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16980512
No way you can ping 62.160.92.137 anyway since the interface is down.

How about result of 'show access-list' from the PIX console?

0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980517
perhaps we have an issue with IP address info?  WHen I had originally posted my question I had changed IP addresses around a little bit.  Then a couple of posts later I gave you the correct info:  


 
LAN      141.155.64.16/28 (16 IPs, 13 usable)
WAN     68.160.89.137 (Verizon side)
             68.160.89.138 (customer side) subnet mask: 255.255.255.252
 
DNS     151.202.0.84 & 151.202.0.85  
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980523
PIX506(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
            alert-interval 300
access-list outside_in; 1 elements
access-list outside_in line 1 permit icmp any any (hitcnt=0)
access-list no_nat; 1 elements
access-list no_nat line 1 permit ip 192.168.109.0 255.255.255.0 192.168.122.0 25
5.255.255.0 (hitcnt=0)
access-list VPN_splitTunnelAcl; 1 elements
access-list VPN_splitTunnelAcl line 1 permit ip 192.168.109.0 255.255.255.0 192.
168.122.0 255.255.255.0 (hitcnt=0)
access-list Outside_dynamic; 1 elements
access-list Outside_dynamic line 1 permit ip 192.168.109.0 255.255.255.0 192.168
.122.0 255.255.255.0 (hitcnt=0)
PIX506(config)#
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980539
how would i remove the cisco cisco username & password from the 1841?  It seems cisco cisco is still working to enter the priviledged mode...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16980552
Ahso!
The PIX appears to have the incorrect IP
 140.155.64.18 / 28

Change the IP on the PIX to match what is should be and to match the router Fast 0/0 which is correct - I think...

PIX506#config t
PIX506(config)#ip address outside 141.155.64.18 255.255.255.240
PIX506(config)#no route outside 0.0.0.0 0.0.0.0 140.155.64.17
PIX506(config)#route outside 0.0.0.0 0.0.0.0 141.155.64.17
PIX506(config)#exit
PIX506#write mem

Now you should be able to ping 141.155.64.17 both from the PIX console and from the PC



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16980557
>how would i remove the cisco cisco username & password from the 1841?  

C1841(config)#no username cisco
C1841(config)#end
C1841#write mem
[OK]
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16980560
You may notice the pattern..
Almost any command on either the router or the PIX can be removed by preceeding the same command with "no"
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980582
PIX506(config)# ip address outside 141.155.64.18 255.255.255.240
PIX506(config)# no route outside 0.0.0.0 0.0.0.0 140.155.64.17
PIX506(config)# route outside 0.0.0.0 141.155.64.17
Not enough arguments.

did I type something wrong?
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980586
i am ain't i, just realized it missing a set of 0's... sorry
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980595
i'm getting responses but they're not complete it seems
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980599
TTL limit expired in transit.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980602
Getting responses from 130.81.9.90.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16980611
>Getting responses from 130.81.9.90.

How? You're not giving me the complete picture, are you?
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980614
Can i or should I run a show config command on both the router & pix so that you can verify it against the set of IP's i had just provided 3 posts ago?
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980618
ok, should I be able to ping the IP 141.155.64.17  from the host I have been using?  i.e. 192.168.109.100 (the polish version of XP) or can i plug in an EN version of XP laptop and try doing the ping again so that I can paste the results?

I don't think you'll be able to decipher the message in Polish...
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980622


Badanie 141.155.64.17 z u&#318;yciem 32 bajt&#728;w danych:



Odpowied« z 130.81.9.90: Limit czasu wyga&#152;ni©cia (TTL) up&#136;yn&#260;&#136; podczas tranzytu.

Odpowied« z 130.81.9.90: Limit czasu wyga&#152;ni©cia (TTL) up&#136;yn&#260;&#136; podczas tranzytu.

Odpowied« z 130.81.9.90: Limit czasu wyga&#152;ni©cia (TTL) up&#136;yn&#260;&#136; podczas tranzytu.

Odpowied« z 130.81.9.90: Limit czasu wyga&#152;ni©cia (TTL) up&#136;yn&#260;&#136; podczas tranzytu.



Statystyka badania ping dla 141.155.64.17:

    Pakiety: Wys&#136;ane = 4, Odebrane = 4, Utracone = 0 (0% straty),

Szacunkowy czas b&#136;&#260;dzenia pakiet&#728;w w millisekundach:

    Minimum = 0 ms, Maksimum = 0 ms, Czas &#152;redni = 0 ms

0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980626
That was the Polish version of what I'm getting when I issue ping 141.155.64.17.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980628
I just noticed I'm getting the same message when I try pinging .18, .19, .20 as well....
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980636
It's getting late.  I don't have to go anywhere if you don't have to.  If you do though, perhaps we can make an exception & you'd call me?  I'll send you my current # via e-mail.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16980671
>Odpowied« z 130.81.9.90: Limit czasu wyga
Something's odd because you should not be getting ttl expired from 130.81.9.90 . . .
You should be connected to the PIX and nothing else. Perhaps your laptop has a wireless connection, too?
I just don't see how you can possibly get a response from anything on any other network....

>Statystyka badania ping dla 141.155.64.17:
   Pakiety: Wys&#136;ane = 4, Odebrane = 4, Utracone = 0 (0% straty),
4 packets sent, 4 packets received, 0 packets lost = positive test in my book..

No, I don't speak fluent Polish, but the construct is the same no matter what language..

0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980676
Les are you around?  I need you dude.  

When I try pinging the router which I am assuming is 141.155.64.17 from the other workstation (192.168.109.101) I'm getting Request timed out. 100% packet loss.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16980688
What is this "other workstation"' default gateway?
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980691
This is one of your posts from yesterday.  I just noticed the "typo in my post".  Sorry.  Please tell me where I should modify these settings (I think they should be changed on the router)

I am guessing that both the router & the pix are configured with the same IP's.  i may be wrong.  

>LAN      141.155.64.16/28 (16 IPs, 13 usable)

>ip address 141.155.64.16 255.255.255.240
typo in my post:

   ip address 141.155.64.16 255.255.255.240
Should be:
   ip address 141.155.64.17 255.255.255.240

.16 is the network ID
.17 is the 1st useable IP
.17 is the default gatewy of the above PIX config

why .24 mask?
/28 = .240 mask
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980695
default gateway is the same on the laptop 192.168.109.1 as on the desktop computer
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980703
Please take a look at the configs for both router & firewall if you can.

LAN      141.155.64.16/28 (16 IPs, 13 usable)
WAN     68.160.89.137 (Verizon side)
             68.160.89.138 (customer side) subnet mask: 255.255.255.252
 
DNS     151.202.0.84 & 151.202.0.85  


ROUTER CONFIG:
Using 1334 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname C1841
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$LJWa$Fxcu/ZoJbT6Ei6.G9yLc81
enable password 7 070228085A060902021C5A
!
no aaa new-model
!
resource policy
!
clock timezone est -5
clock summer-time edt recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
ip domain name yourdomain.com
!
username cisco privilege 15 secret 5 $1$ZMSn$9/qJDaP00Ox8L8pvUknNs/
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
 ip address 141.55.64.17 255.255.255.240
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address 68.160.89.137 255.255.255.252
!
ip classless
ip route 0.0.0.0 0.0.0.0 68.160.89.138
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
control-plane
!
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input none
!
ntp server 128.59.16.20 prefer
end
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980707
Please take a look at the configs for both router & firewall if you can.

LAN      141.155.64.16/28 (16 IPs, 13 usable)
WAN     68.160.89.137 (Verizon side)
             68.160.89.138 (customer side) subnet mask: 255.255.255.252
 
DNS     151.202.0.84 & 151.202.0.85  


PIX CONFIG:

: Written by enable_15 at 19:37:50.004 EST Thu Dec 31 1992
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password K9GiZEzzMZhapmAG encrypted
passwd Ss0X3CJMVgJ1TMrm encrypted
hostname PIX506
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit icmp any any
access-list no_nat permit ip 192.168.109.0 255.255.255.0 192.168.122.0 255.255.2
55.0
access-list VPN_splitTunnelAcl permit ip 192.168.109.0 255.255.255.0 192.168.122
.0 255.255.255.0
access-list Outside_dynamic permit ip 192.168.109.0 255.255.255.0 192.168.122.0
255.255.255.0
pager lines 24
logging on
logging timestamp
logging buffered informational
mtu outside 1500
mtu inside 1500
ip address outside 141.155.64.18 255.255.255.240
ip address inside 192.168.109.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL 192.168.123.200-192.168.123.254
pdm location 192.168.122.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list no_nat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 141.155.64.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
ntp server 192.5.41.41 source outside prefer
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.109.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address Outside_dynamic
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup VPN3000 address-pool VPNPOOL
vpngroup VPN3000 split-tunnel VPN_splitTunnelAcl
vpngroup VPN3000 idle-time 1800
vpngroup VPN3000 password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.109.100-192.168.109.254 inside
dhcpd dns 151.202.0.84 151.202.0.85
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
username taki1gostek password ywjI7D/HbZsdqCg8 encrypted privilege 15
terminal width 80
Cryptochecksum:7c1420587cc828165edccba1088a17f6
PIX506(config)#
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16980721
I see the disconnect...
>interface FastEthernet0/0
  ip address 141.55.64.17 255.255.255.240
 
Pix is
 IP address 140.155.64.18

What should it be?
141.155.64.x ?
140.155.64.x ?
141.55.64.x ?

Just make sure both the roter and pix are the same....
 
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980734
I'm sorry I can't understand your question...  What do you need me to do?  

Back to basics:

LAN      141.155.64.16/28 (16 IPs, 13 usable)
WAN     68.160.89.137 (Verizon side)
             68.160.89.138 (customer side) subnet mask: 255.255.255.252
 
DNS     151.202.0.84 & 151.202.0.85  

If I understand it correctly, the router should be assigned 141.155.64.17 and the pix 141.155.64.18?
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980757
Les, I am honestly ready to do about anything to make sure this thing is up and running.  A lot of stuff is on the line for me if I can't get that office up tomorrow.  Can I at least get your yay or nay on whether I will be able to rely on you through the reminder of the evening to make sure that everything's configured right?

Please let me know.  I'm wondering whether I should start devising plan B, i.e. putting everything off until I have the equipment preconfigured and that it will work...
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980831
I am in Cisco PIX Device Manager 3.0 right now and i'm viewing Configuration/Hosts/Network Tab and I can see that the Outside interface says the following:

outside:any
141.155.64.16
    outside 141.155.64.18
192.168.122.0
vpnpool 192.168.123.192

is the 141.155.64.16 setting correct?

Please repond Les.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980926
I finally figured it out!

Things didn't work because the router was misconfigured with 141.55.64.17 as its IP address (it's supposed to be 155 not 55)!

How else can I verify that everything's running fine?
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16980957
I will get in touch with you tomorrow if something fails to work.  
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16983023
Good luck!
I lost my cable internet for about 8 hours last night. Big wreck down the street knocked down a telephone pole.
I'll keep watching my email..
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16984456
Up and running.  Total Plug & Play!!!!

Thanks!

I will be doing VPN testing right now and will try to figure out what ACL's I'll have to create.

Thanks THANK YOU THANK YOU THANK YOU!!!!

I will follow up with an update and/or question once I have any.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16984477
That's really good news!
Email me the password you set for the VPN3000 group and I can help test..

0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16984863
I have not been able to connect using the CISCO VPN client.  I had went into PDM and created a new PPTP (windows) VPN profile, created a local user name and was able to get in fine.  

What IP & username should I be using with the VPN client?  I would prefer to use that instead of windows' PPTP.  Are the VPN client default settings fine?

Once a user is connected to the network, what can they do being that they're in the VPNPOOL of IP addresses that are different from their office workstations?  What's the recommended way for them to connect to their workstations?  RDP?  

Will they be able to RDP into their workstation if they're on a different, VPNPOOL subnet?
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16984870
sent you an e-mail
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16985005
>What IP & username should I be using with the VPN client?
outside IP of the PIX
Username (group name) = VPN3000
Password =
   vpngroup VPN3000 password ******** <== whatever you put here...

This username with the PW you sent does not work:
My client gets this error:
Hash verification failed... may be configured with invalid group password.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16985257
I have to download a hyper terminal client on the win2k3 machine.  I will let you know as soon as i've assigned a pass.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16985615
I changed the password (sent to you in e-mail)

Now i'm getting somewhere but still not there yet

Cisco Systems VPN Client Version 4.8.01.0300
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1      09:37:38.046  06/26/06  Sev=Warning/3      IKE/0xA3000029
No keys are available to decrypt the received ISAKMP payload
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16985643
Any ideas?  I can't leave here until VPN is configured right....   are you around?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16985706
Add me as a username - lrmoore - and give me a password. I can access the GUI from here and help you out.
Email me the password.
I can get your emails but cannot respond to them from where I am..

Have faith, we'll get you going.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16985848
E-Mail Sent.  PDM in with the username & password I had set for you.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16985995
Works for me. Prompts for username/password.
Using local username/pw data
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16985999
Gotta run to meeting...
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16986018
What user name and password should users be entering when it prompts for the user name and password?  It just worked for me too...  

Can users RDP into their workstations after they connect via VPN?  Please let me know as soon as you can.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16986050
Whatever username/pass you enter for them just like you did yours and mine.
Yes, users can certainly RDp to their desktops..
 
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16986285
But what usernames and passwords should users use?  Do they have to enter one into the second prompt, i.e. VPN3000 & password and then RDP?  

Should I have to create user names and passwords for all users that want to VPN into the network or will VPN3000 username take care of that?
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16986314
I have a Linux box that I have to set up on the PIX.

Public IP 141.155.64.19
Private IP 192.168.109.200
Enable Ports 22 & 8657 UDP & TCP for both, inside and outside.
Deny all other ports.

Any pointers on setting up the ACL?  I will be able to take this example and take care of any future servers, i.e. exchange, etc.. that they'll add to the network.

You are my god.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16986330
When I VPN into the network, how come I can't ping the gateway 192.168.109.1?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16986832
>Should I have to create user names
You have 2 easy options.
1) go ahead and create the username/passwords
2) remove this line from the PIX config:
   crypto map outside_map client authentication LOCAL
That will stop the 2nd prompt for username pass and just needs the VPN3000 password.

>When I VPN into the network, how come I can't ping the gateway 192.168.109.1
Because that is the way the pix is designed. You might be able to ping it if you go into Configuration | Administration | Management Access and select the Inside as a management access interface..


 
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16986862
>Public IP 141.155.64.19
Private IP 192.168.109.200
Enable Ports 22 & 8657 UDP & TCP for both, inside and outside.
Deny all other ports.

static (inside,outside) 141.155.64.19 192.168.109.200 netmask 255.255.255.255
access-list outside_in permit icmp any any
access-list outside_in permit tcp any host 141.155.64.19 eq 22
access-list outside_in permit udp any host 141.155.64.19 eq 22
access-list outside_in permit tcp any host 141.155.64.19 eq 8657
access-list outside_in permit ucp any host 141.155.64.19 eq 8657
access-list outside_in in interface outside

Notice that I added the permit icmp so this new acl replaces your acl "icmp" that was in there for test purposes only.
You will build off of this outside_in acl for any other hosts/services that you want to add.
There is no requirement to deny all else because it only permits what you specify and nothing else.

you want to be very careful on what you block from inside going out. Suggest not blocking anything to start with.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16986901
[no] access-list <id> [line <line-num>] deny|permit icmp
      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
      [<icmp_type> | object-group <icmp_type_obj_grp_id>]
      [log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16986934
think you'll be able to log in via PDM to see what's wrong with the set of CLI commands?  i'm getting an error when I do access-list outside_in in interface outside

0
 
LVL 2

Author Comment

by:taki1gostek
ID: 16986959
I'm leaving now, we'll be able to take care of anything else when I get back to Mass.

Thanks for your help.  I'll shoot you an e-mail when I get back around 8-9PM if traffic's ok.

In the meantime can you see what the problem was with the ACL?

Thanks
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16986970
access-group outside_in in interface outside

It's already there.... That was my bad...
"access-group" to apply to the interface
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16986977
If I try to SSH to that IP address, I get prompted for a username....

Good job!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

This solves the problem of diagnosing why an internet connection is no longer working. It also helps identify the likely cause of the lost connection if the procedure fails to re-establish your internet connection. It helps to pinpoint the likely co…
Cable Modem Provisioning from DPoE compliant server  This Article is to support CMTS administrators to provide an overview of DOCSIS compliance configuration file, and to provision a cable modem located at customer place from a Back office serve…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now