Need CISCO Guru to help configure new network from scratch! (step-by-step, idiot-proof)

Hello??

I'm sorry for my delay in responding.  Had a bad car accident, car totalled, wife pregnant but the baby's o.k. :)

I took your advice to heart and got an 1841 w/DSU/CSU WIC card router.

Having trouble right now getting the PIX 506E firewall to turn on DHCP so that I can use the PDM web-based utility to configure it...  Going to go out and get a book on Pix for dummies or something.  The project's on Monday, it's Saturday and I have a 4 hour drive to NYC.  

Please call me (212) 945-8461 if you think you'll be able to help walk me through a couple of things on the PIX and the Router.

Thanks again!

I will be waiting for your quick response and/or call.

My apologies again for not responding sooner.

lrmoore,

I can't get the DHCP to turn on on the PIX 506E!  Please help.  I would like to use the PDM to configure it.

Here's the info I have:
pixfirewall(config)# show ip
System IP Addresses:
        no ip address outside
        ip address inside 192.168.1.1 255.255.255.0
Current IP Addresses:
        no ip address outside
        ip address inside 192.168.1.1 255.255.255.0

pixfirewall(config)# show dhcpd
dhcpd address 192.168.1.2-192.168.1.5 inside
dhcpd dns 192.168.1.1 192.168.1.6
dhcpd lease 3000
dhcpd ping_timeout 750
dhcpd enable inside
pixfirewall(config)#

what's wrong with this config?  

In other words the way I'm looking at it is if I connect ethernet 1 on the pix directly to my PC, the PC should obtain a DHCP IP address from the pool 192.168.1.2-192.168.1.5, should receive DNS info 192.168.1.1 192.168.1.6.  When I plug into my PC though I'm getting the message that the cable is unplugged.

I am hoping that once my PC receives an IP from the firewall (by temporarily turning on DHCP on it), I could theoretically go to IE, type in 192.168.1.1 (the inside [ethernet 1] address) to access PDM and its wizards.  Am I correct?

Perhaps I should be using a cross-over wire instead of a straight-through CAT5?

Bad news/good news, eh?
Car accident - bad!
Wife and baby OK - good!

Did you read the quick-start guide for the PIX? Link is in my original post. It is quite detailed and should help you out.

We need to keep everything in this forum  that we can. Just post here with specific questions and I'll give you detailed information as I can.
I can probably give you some good cut/paste configs with some detail.
Are you familiar with pasting configs into Cisco product? Same procedure with router and PIX:
Select/copy the text
In hypterterm (to console port via serial):
Router>enable
Username:cisco <== defaults on the 1841
Password:cisco
Router#config term
Router(config)# <right-click, Paste to Host>
Watch the magic.

Pixfirewall>enable
Password: <enter>  <== no password by default
Pixfirewall#config term
Pixfirewall(config)# <right-click, Paste to Host>

Done.

I'll post a basic 1841 config here in a few and follow with a PIX config.

I'll be in-out throughout the weekend, but will keep checking back.

Cisco 1841 router config. We can change the enable password later..
\\-- begin  [copy everything between this line and \\-- end]

!
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname C1841
!
clock timezone est -5
clock summer-time edt recurring
ip subnet-zero
!
ip cef
!
!
enable secret cisco
!
!
!
!
interface FastEthernet0/0
 ip address 140.155.64.16 255.255.255.240
 no shut
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address 65.160.89.138 255.255.255.252
!
ip classless
!
!
ip route 0.0.0.0 0.0.0.0 65.160.89.137
!
ntp server 128.59.16.20 prefer
!
no banner login
!
end
!
write mem


\\-- end  - (make sure you copy the carraige returns at the end below write mem)

The config changes are immediate and the "write mem" at the end saves the config
After you pop this config in, we need to change the password:
C1841>enable
Password:cisco
C1841#config t
C1841(config)#enable secret <newpassword> <== put your own good password in here
C1841(config)#end
C1841#write mem
[OK]

Isn't this easy?

C1841

>Perhaps I should be using a cross-over wire instead of a straight-through CAT5?
Direct from PC to PIX? Yes, crossover cable
Suggest you use a switch/hub in between with straight cables.

>   ip address inside 192.168.1.1 255.255.255.0
Are you sure you want to use this default IP addressing scheme? I HIGHLY recommend NOT using it due to the fact that you want to enable remote VPN users. Far too many home/remote users have the exact same LAN ip subnet and you will have no end to "issues" with users if you don't decide right up front to use something else.
Suggest something like 192.168.109.0 / 255.2552.55.0 for the internal LAN

Let's do it.  I just wanted to temporarily assign that subnet.

Now, if I imagine this correctly, the proper setup is

Internet-->CSU/DSU (Router)--> Pix --> Switch
correct?

I only have one console cable and it's currently plugged into the Firewall.  Let's configure the PIX first.  I guess I won't have to use PDM if I can get your help.

I will first need to clear all settings back to factory defaults.

Do i do this by typing configure factory-default command?

Should I turn the PIX off and plug the router in for the meantime?  You tell me.

That's what I'll do, I will configure the router first according to your instructions.

>The LAN will be set up with the 10.0.0.x subnet
Sorry, just re-read the original post...
Same goes with this subnet. It's just as bad a choice as 192.168.1.0

I guess I should give you correct IP info now:

LAN      141.155.64.16/28 (16 IPs, 13 usable)
WAN     68.160.89.137 (Verizon side)
             68.160.89.138 (customer side) subnet mask: 255.255.255.252
 
DNS     151.202.0.84 & 151.202.0.85  

This will change some of the copy & paste text.  For example, the line interface FastEthernet0/0
 ip address 141.155.64.16 255.255.255.240, why is .240 the subnet mask?  

Looks like we're cross-posting...
Yes - setup =
Internet T1 --Rj45-> CSU/DSU WIC
                                  Ethernet0/0 (top one, I think) -- Xover cat5-->PIX Eth0 (outside)
                                                                                                     PIX Eth1 (inside) --> switch

Clear the PIX config:
pixfirewall(config)#write erase
Confirm yes,
reboot the pix.

\\-- BASE config begin

interface ethernet0 auto
interface ethernet1 auto
enable password cisco
passwd cisco
hostname PIX506
clock timezone EST -5
clock summer-time EDT recurring

logging on
logging timestamp
logging buffered informational

ip address outside 140.155.64.18 255.255.255.240

ip address inside 192.168.109.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 140.155.64.17

dhcpd address 192.168.109.100-192.168.109.254 inside
dhcpd dns 151.202.0.84 151.202.0.85  
dhcpd enable inside
global (outside) 10 interface
nat (inside) 10 0 0 0
ip local pool VPNPOOL 192.168.123.200-192.168.123.254

access-list outside_in permit icmp any any

ntp server 192.5.41.41 source outside prefer
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.109.0 255.255.255.0 inside

sysopt connect permit-ipsec

isakmp identity address
isakmp nat-traversal 20

\\-- END

We'll finish up the VPN config later...

>LAN      141.155.64.16/28 (16 IPs, 13 usable)

>ip address 141.155.64.16 255.255.255.240
typo in my post:

   ip address 141.155.64.16 255.255.255.240
Should be:
   ip address 141.155.64.17 255.255.255.240

.16 is the network ID
.17 is the 1st useable IP
.17 is the default gatewy of the above PIX config

why .24 mask?
/28 = .240 mask

Yes we are and it's my fault.  I should have stayed with your posts & plugged the router in, in the first place.  Let's do the router first as you had originally requested.

I was able to successfully cut & paste into host the following (with some IP address changes, as per my last post):

\\-- begin  [copy everything between this line and \\-- end]
!
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname C1841
!
clock timezone est -5
clock summer-time edt recurring
ip subnet-zero
!
ip cef
!
!
enable secret cisco
!
!
!
!
interface FastEthernet0/0
 ip address 141.155.64.16 255.255.255.240
 no shut
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address 68.160.89.137 255.255.255.252
!
ip classless
!
!
ip route 0.0.0.0 0.0.0.0 68.160.89.137
!
ntp server 128.59.16.20 prefer
!
no banner login
!
end
!
write mem


\\-- end  - (make sure you copy the carraige returns at the end below write mem)

I also assigned a password to the router.  What do we do next on the router?  I think we should verify that all changes took & all looks good.

C1841#show config
To verify....
Per my last post, I think we may have an issue with the IP address on the FastEthernet0/0 interface

I THINK I GOT THE CONFIG INFO RIGHT THIS TIME:


Using 1264 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname C1841
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Ozo3$vigftzP1mi0vaRwXgYz/Y1
!
no aaa new-model
!
resource policy
!
clock timezone est -5
clock summer-time edt recurring
mmi polling-interval 60
no mmi auto-configure
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
ip domain name yourdomain.com
!
username cisco privilege 15 secret 5 $1$ZMSn$9/qJDaP00Ox8L8pvUknNs/
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
 ip address 10.10.10.1 255.255.255.248
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address 68.160.89.137 255.255.255.252
 shutdown
!
ip classless
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
control-plane
!
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
ntp server 128.59.16.20 prefer
end

C1841#

I had to select, copy & paste each page separately because of the <more> command.

Kinda hard to read, but just as I suspected:

interface FastEthernet0/0                        
 shutdown

C1841#config t
C1841(config)#interface fast 0/0
C1841(config-if)#ip address 141.155.64.17 255.255.255.240
C1841(config-if)#no shut
C1841(config-if)#end
C1841#write mem
[OK]
C1841#


\\\ BEGIN PIX VPN config

access-list no_nat permit ip 192.168.109.0 255.255.255.0 192.168.122.0 255.255.255.0
access-list VPN_splitTunnelAcl permit 192.168.109.0 255.255.255.0 192.168.122.0 255.255.255.0
access-list Outside_dynamic permit 192.168.109.0 255.255.255.0 192.168.122.0 255.255.255.0

nat (inside) 0 access-list no_nat

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3ds esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 match address Outside_dynamic
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400

vpngroup VPN3000 address-pool VPNPOOL
vpngroup VPN3000 split-tunnel VPN_splitTunnelAcl
vpngroup VPN3000 password ********

\\\ END VPN config

>interface Serial0/0/0
 ip address 68.160.89.137 255.255.255.252
 shutdown

We need to get rid of the shutdown on this one, too...

C1841#config t
C1841(config)#interface serial 0/0/0
C1841(config-if)#no shut
C1841(config-if)#end
C1841#write mem
[OK]
C1841#

So if the router now properly configured?  In other words, do I turn it off and just plug it in to the CSU/DSU and it'll work?

done

Let's see the whole config one more time...

With your blessing, I can edit out the garbage post above...

Any way you can give me a little bit of a background on how VPN connectivity will work?  I.E. will I need to get the client to purchase VPN clients or will they be able to VPN directly from Windows using what I think is PPP authentication?

The PIX comes with a CD with the VPN client software. Easy install.
Else you can use the Microsoft PPTP client (not recommended)
The PIX will terminate either one, but the config I posted was for the Cisco client.

Please, edit it out.  Thanks.

Using 1256 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname C1841
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Ozo3$vigftzP1mi0vaRwXgYz/Y1
!
no aaa new-model
!
resource policy
!
clock timezone est -5
clock summer-time edt recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
ip domain name yourdomain.com
!
username cisco privilege 15 secret 5 $1$ZMSn$9/qJDaP00Ox8L8pvUknNs/
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
 ip address 141.55.64.17 255.255.255.240
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address 68.160.89.137 255.255.255.252
!
ip classless
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
control-plane
!
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
ntp server 128.59.16.20 prefer
end

C1841#

Unfortunately the PIX had come in OEM, used or refurbished without any addtl software.  We'll just use MS's PPTP to authenticate.

Router config looks good!
It "should" be plug and play on Monday!
Some tips to troubleshoot if it does not come up right away:

C1841#show ip interface brief
Look for status up | up
C1841#show interface serial0/0/0
Look for status Line UP | Protocol UP
Look for errror counters

If Line is DOWN, then the ISP/Telco has not enabled the T1 and you must call their engineers to enable it.
Post results of those two commands here if you need a 3rd eye..

>Unfortunately the PIX had come in OEM, used or refurbished without any addtl software
YUK!
Email me (look in my profile) and I'll see if I can get you a copy.
Too many problems using MS PPTP . . .

Great!  Thanks!

I'm posting the show config command for the pix now:

: Written by enable_15 at 19:00:54.370 EST Thu Dec 31 1992
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX506
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit icmp any any
pager lines 24
logging on
logging timestamp
logging buffered informational
mtu outside 1500
mtu inside 1500
ip address outside 140.155.64.18 255.255.255.240
ip address inside 192.168.109.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL 192.168.123.200-192.168.123.254
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 140.155.64.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 192.5.41.41 source outside prefer
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.109.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
isakmp identity address
isakmp nat-traversal 20
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.109.100-192.168.109.254 inside
dhcpd dns 151.202.0.84 151.202.0.85
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:83a6ce7c605a01eba068ba2a220345b0

THIS IS THE FIREWALL CONFIG AFTER I HAD APPLIED YOUR VPN SETTINGS INSTRUCTIONS.

: Written by enable_15 at 19:05:23.064 EST Thu Dec 31 1992
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX506
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit icmp any any
access-list no_nat permit ip 192.168.109.0 255.255.255.0 192.168.122.0 255.255.2
55.0
pager lines 24
logging on
logging timestamp
logging buffered informational
mtu outside 1500
mtu inside 1500
ip address outside 140.155.64.18 255.255.255.240
ip address inside 192.168.109.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL 192.168.123.200-192.168.123.254
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list no_nat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 140.155.64.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 192.5.41.41 source outside prefer
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.109.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup VPN3000 address-pool VPNPOOL
vpngroup VPN3000 idle-time 1800
vpngroup VPN3000 password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.109.100-192.168.109.254 inside
dhcpd dns 151.202.0.84 151.202.0.85
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:1177ae9c17787007a7db65ad592841e2
PIX506(config)#

How will the clients access VPN?  What username & password will they be using and how can that be assigned?

I will also need a secure way to remotely connect to and administer both the PIX and the router.  Any instructions on setting that up?

I swear I will learn CISCO.

>PIX Version 6.3(3)
YUK... buggy version....
Upgrade to 6.3(5) soonest

I know it may not have been the best idea to share my phone # on the post but if you could, please give me a buzz.  I have to get going.  I will pack up the 506E & 1841 and take it with me to NYC where I will continue the battle tonight and tomorrow so that it is truly ready & plug-n-play when I arrive at my client's site.

I'd like to thank you for what we've already (actually you) have accomplished and I have a summary of questions I'd like you to put together answers to if you can:

1. Passwords.  I would like to assign strong passwords to both the Router and the Firewall.  Please provide instructions.
2. I may end up having to eventually turn off DHCP services on the PIX because DHCP requests will very likely be processed by a Win2K3 server.
3. How do I work with or create Access Control Lists?  I will have 1 Unix box & a couple of Windows Servers that require specific ports to be forwarded to them.  I guess I'm asking how I'll have to go about configuring NAT so that Outside IP/Port is sent to an Internal IP & Port.
4. VPN.  I had sent you an e-mail from my address as you had requested.  What authentication type will the VPN clients use?  How do I create VPN users & their passwords?  Will users have the option to change their VPN passwords or will that require me to change settings on the firewall?
5. Are we done with the Router?  I.E. once this configuration is set will there be any circumastances short of changing the ISP that will require anyone to administer the Router?  What are the IP addresses that were assigned to the router & to the firewall?
6. How can I remotely administer the router & the pix?  Tetlnet, Secure telnet?  I will need a way to securely connect & configure the firewall.

I think that's about it.  I just got your e-mail.  Will follow instructions & post here before I leave.

Thanks again!

We're missing a few lines in the PIX config. - my fault....

copy paste the following:

access-list VPN_splitTunnelAcl permit ip 192.168.109.0 255.255.255.0 192.168.122.0 255.255.255.0
access-list Outside_dynamic permit ip 192.168.109.0 255.255.255.0 192.168.122.0 255.255.255.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 match address Outside_dynamic
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

vpngroup VPN3000 split-tunnel VPN_splitTunnelAcl

Took care of it.

What am I doing wrong?  I guess I should be plugged into the pix firewall?  I'm plugged into a different network on my PC and console cable to the firewall.  Nothing else is connected.

I can hook the firewall up to a switch and hook my computer to Ethernet1 port.  Should I?

I guess i should be on the same subnet as the firewall in order for the TFTP client to work.

Then again, where should I download the two files?  I have them on my root drive C:


PIX506(config)# copy tftp://72.248.110.16/pix635.bin flash:
copying tftp://72.248.110.16/pix635.bin to flash:image
tftp: Timed out attempting to connect
Image not installed
PIX506(config)#

I really have to run now.  If I leave now maybe i'll make it to NYC by 9PM, heard that there's lots of traffic because of the rain.

I will answer anything and everything as soon as I am in front of a PC in NYC.

Thanks again for all of your help!  I hope you'll be around tonight and tomorrow.

-taki

>I guess i should be on the same subnet as the firewall in order for the TFTP client to work.
Yep...

Then again, where should I download the two files?  I have them on my root drive C:
That's OK as long as you set Pumpkin's filesystem root directory to C:\

I'm in NYC.  I got here a little bit after 10PM because it was pouring down all the way from mass through RI, CT and NY.  It was too late to hook up at my friend's and continue the battle.  Please let me know whether you're around today.  I was able to flash the pix & pdm with no problems!

I can't seem to be able to access PDM via 192.168.109.1 (the pix=gateway IP).

Where would I have to go to enable PDM?

I don't have a T-1 line to work with to test VPN connectivity and so any instructions on what needs to be done once the VPN client is installed along with answers to the questions I had previously asked will definitely be helpful.

The PIX firewall seems to be running very HOT even though it's not really processing anything...  The casis is very warm.  Think it could be a dead fan or could there be a different issue with that?

I will be checking my mail every 2-5 minutes to see if you're around.

Again, thanks a bunch for all of your assistance!  I'd like to pay you if you can accept a payment through pay pal for your time.

Glad you made it. I'm in and out. Just getting ready to do some grocery shopping and I'll be back in a couple of hours.

To access the pdm, be sure to use https://192.168.109.1  note the "s" in https

http server enable  <== enabled!
http 192.168.109.0 255.255.255.0 inside  <== as long as your PC has an IP in this range you should be good

>PIX firewall seems to be running very HOT
These puppies do tend to run pretty warm. Keep an eye on it..

Here's the user guide for the VPN client.
http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/4_6/ugwin/index.htm

The down and dirty:
Install the client
Create New entry
Connection Entry: Text string whatever you want
Description: Optional text string
Host: 140.155.64.18  ( IP address of PIX outside)
* Group Authentication
Name:  VPN3000
Password: < match = vpngroup VPN3000 password ********>
Confirm Password:
   [Save]
Select entry and click Connect.
Done!

How about posting a new question for each of your questions 1 through 6 above?
All I get here is points and the max for 1 Q is 500. By posting multiple questions, I can earn more points.
Post a link to the new Q's here...

Will do.  What is the VPN group password & how do I change it?

1 question:
https://www.experts-exchange.com/questions/21898500/PDM-Password-on-Cisco-Pix-506E.html

2nd question:
https://www.experts-exchange.com/questions/21898502/Need-to-set-strong-passwords-on-Cisco-1841-Cisco-Pix-506E-Please-help.html

3rd question:
https://www.experts-exchange.com/questions/21898505/Turning-off-DHCP-on-Cisco-Pix-506E.html

4th question:
https://www.experts-exchange.com/questions/21898513/Setting-Up-and-Maintaining-Cisco-Pix-506E-Access-Control-Lists.html

5th question:
https://www.experts-exchange.com/questions/21898519/Securely-Administering-Cisco-1841-Router-Cisco-Pix-506E-Firewall-Remotely.html

What is the default username and password in order to configure the Pix using PDM?  

https://192.168.109.1
username: pixadmin (?)
password: ???

Tried cisco, admin, root, etc... Nothing has worked so far.  How can that password be changed or set in IOS?

5. Are we done with the Router?  I.E. once this configuration is set will there be any circumastances short of changing the ISP that will require anyone to administer the Router?  What are the IP addresses that were assigned to the router & to the firewall?

Based on our current information exchange, is there any way you could put together a logical breakdown of how IP's are assigned to the router & the firewall?

How do I "take" public IPs from the range of IPs that's assigned to this network and assign it to specific hosts/servers?  I guess this will be covered in one of the ACL questions above.

Will you be around today to address all of the questions?

Thanks again for all your help!

>What is the VPN group password & how do I change it?
Right now I think it is literally *******

To change it:
PIX506(config)#vpngroup VPN3000 password MyNewPa$$w0rD

>What is the default username and password in order to configure the Pix using PDM?  
Username: pix
Password: <blank>
 Or
 Username: enable
 Password: cisco

Once you get into the GUI there is an easy way to setup local username/passwords and use them for HTTP authentication.

>Are we done with the Router?
I think so.

More to follow...

 
>Username: pix
Password: <blank>
 Or
 Username: enable
 Password: cisco


PDM isn't taking either one of the logins

Tried pix, blank; enable, cisco; enable, blank; pixadmin, blank; blank, cisco

None of them work...

I'm using IE 6.0.29

Perhaps it's a browser issue?

VPN password is set.  

Let's try this:

aaa authentication http console LOCAL
username taki1gostek password <yourpassword> privilege 15

Then use that username/password with the PDM
If that fails, you may need to update your Java SE on your laptop.
Try getting the latest J2SE 1.5 from
https://sdlc5a.sun.com/ECom/EComActionServlet;jsessionid=E953DB4ECEB3F3CAB8457F8565E9541F

It worked!  :)

IP Address documentation:

Router C1841
WAN IP Serial 0/0/0 = 68.160.89.137 255.255.255.252
LAN IP Fast 0/0 = 140.155.64.17 255.255.255.240

PIX506:
Outside (WAN) IP = 140.155.64.18 255.255.255.240
Inside (LAN) eth1 IP = 192.168.109.1 255.255.255.0

>>Are we done with the Router?
I just looked at your posted config again and we're missing the default route. Very important!

C1841(config)#ip route 0.0.0.0 0.0.0.0 68.160.89.138
C1841(config)#ene
C1841#write mem
[OK]
C1841#

figured out from PDM that the username was enable_15

>figured out from PDM that the username was enable_15
D'OH!

How can we verify that both the router & firewall are configured right, that they're talking to one another etc... ?  Just worried about tomorrow...

If you have a crossover cable between the 1841 and the PIX outside, and your laptop on the inside....
Can you ping the 1841's LAN IP?
That's about the best test you can perform in your "lab" unless you have another router with T1 module and T1 crossover  . . .
Didn't think so  . . .

If you put the 1841 Ethernet and the PIX outside on a switch/hub and your laptop on the same switch with your laptop IP add 140.155.64.18 mask 255.255.255.240, you should be able to test the VPN client and make sure it connects..

I am not getting any responses from any of the below IPs when I try pinging from my laptop:

Router C1841
WAN IP Serial 0/0/0 = 68.160.89.137 255.255.255.252
LAN IP Fast 0/0 = 140.155.64.17 255.255.255.240

PIX506:
Outside (WAN) IP = 140.155.64.18 255.255.255.240
Inside (LAN) eth1 IP = 192.168.109.1 255.255.255.0

From your laptop, post result of "C:\>route print"
From the PIX, post result of PIX506#show interface
From the 1841, post result of C1841#sho ip int brief

You will hate me but I'm staying at my Polish friend's house right now & he's using a Polish version of Windows XP on his desktop.

I guess I should tell you that I can ping the gateway (pix) just fine using 192.168.109.1.  All of the other IPs don't respond.

You should be able to decipher all of it though.

C:\>route print:

===========================================================================
Lista interfejs&#728;w
0x1 ........................... MS TCP Loopback interface
0x2 ...00 50 fc 9c 52 ba ...... Karta Realtek RTL8139 Family PCI Fast Ethernet NIC - Sterownik miniport Harmonogramu pakietów
===========================================================================
===========================================================================
Aktywne trasy:
Miejsce docelowe w sieci      Maska sieci      Brama      Interfejs      Metryka
          0.0.0.0          0.0.0.0    192.168.109.1  192.168.109.100        20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1        1
    192.168.109.0    255.255.255.0  192.168.109.100  192.168.109.100        20
  192.168.109.100  255.255.255.255        127.0.0.1       127.0.0.1        20
  192.168.109.255  255.255.255.255  192.168.109.100  192.168.109.100        20
        224.0.0.0        240.0.0.0  192.168.109.100  192.168.109.100        20
  255.255.255.255  255.255.255.255  192.168.109.100  192.168.109.100        1
Domy&#152;lna brama:    192.168.109.1.
===========================================================================
Trasy trwa&#136;e:
  Brak

PIX506E:


Hardware is i82559 ethernet, address is 000f.f79f.ad24
  IP address 140.155.64.18, subnet mask 255.255.255.240
  MTU 1500 bytes, BW 100000 Kbit full duplex
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        1327 packets output, 79620 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/0)
        output queue (curr/max blocks): hardware (0/2) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 000f.f79f.ad25
  IP address 192.168.109.1, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 100000 Kbit full duplex
        80 packets input, 12742 bytes, 0 no buffer
        Received 65 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        12 packets output, 2079 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
 input queue (curr/max blocks): hardware (128/128) software (0/1)
        output queue (curr/max blocks): hardware (0/1) software (0/1)

C1841#sho ip int brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
FastEthernet0/0            141.55.64.17    YES NVRAM  up                    up

FastEthernet0/1            unassigned      YES NVRAM  administratively down down

Serial0/0/0                68.160.89.137   YES NVRAM  down                  down

C1841#

My fault, we need one more line in the PIX config:

PIX506(config)#access-group outside_in in interface outside

Now try the ping again...

no good

tried pinging 140.155.64.17 and 68.160.89.137 with no success.

No way you can ping 62.160.92.137 anyway since the interface is down.

How about result of 'show access-list' from the PIX console?

perhaps we have an issue with IP address info?  WHen I had originally posted my question I had changed IP addresses around a little bit.  Then a couple of posts later I gave you the correct info:  


 
LAN      141.155.64.16/28 (16 IPs, 13 usable)
WAN     68.160.89.137 (Verizon side)
             68.160.89.138 (customer side) subnet mask: 255.255.255.252
 
DNS     151.202.0.84 & 151.202.0.85  

PIX506(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
            alert-interval 300
access-list outside_in; 1 elements
access-list outside_in line 1 permit icmp any any (hitcnt=0)
access-list no_nat; 1 elements
access-list no_nat line 1 permit ip 192.168.109.0 255.255.255.0 192.168.122.0 25
5.255.255.0 (hitcnt=0)
access-list VPN_splitTunnelAcl; 1 elements
access-list VPN_splitTunnelAcl line 1 permit ip 192.168.109.0 255.255.255.0 192.
168.122.0 255.255.255.0 (hitcnt=0)
access-list Outside_dynamic; 1 elements
access-list Outside_dynamic line 1 permit ip 192.168.109.0 255.255.255.0 192.168
.122.0 255.255.255.0 (hitcnt=0)
PIX506(config)#

how would i remove the cisco cisco username & password from the 1841?  It seems cisco cisco is still working to enter the priviledged mode...

Ahso!
The PIX appears to have the incorrect IP
 140.155.64.18 / 28

Change the IP on the PIX to match what is should be and to match the router Fast 0/0 which is correct - I think...

PIX506#config t
PIX506(config)#ip address outside 141.155.64.18 255.255.255.240
PIX506(config)#no route outside 0.0.0.0 0.0.0.0 140.155.64.17
PIX506(config)#route outside 0.0.0.0 0.0.0.0 141.155.64.17
PIX506(config)#exit
PIX506#write mem

Now you should be able to ping 141.155.64.17 both from the PIX console and from the PC

>how would i remove the cisco cisco username & password from the 1841?  

C1841(config)#no username cisco
C1841(config)#end
C1841#write mem
[OK]

You may notice the pattern..
Almost any command on either the router or the PIX can be removed by preceeding the same command with "no"

PIX506(config)# ip address outside 141.155.64.18 255.255.255.240
PIX506(config)# no route outside 0.0.0.0 0.0.0.0 140.155.64.17
PIX506(config)# route outside 0.0.0.0 141.155.64.17
Not enough arguments.

did I type something wrong?

i am ain't i, just realized it missing a set of 0's... sorry

i'm getting responses but they're not complete it seems

TTL limit expired in transit.

Getting responses from 130.81.9.90.

>Getting responses from 130.81.9.90.

How? You're not giving me the complete picture, are you?

Can i or should I run a show config command on both the router & pix so that you can verify it against the set of IP's i had just provided 3 posts ago?

ok, should I be able to ping the IP 141.155.64.17  from the host I have been using?  i.e. 192.168.109.100 (the polish version of XP) or can i plug in an EN version of XP laptop and try doing the ping again so that I can paste the results?

I don't think you'll be able to decipher the message in Polish...

Badanie 141.155.64.17 z u&#318;yciem 32 bajt&#728;w danych:



Odpowied« z 130.81.9.90: Limit czasu wyga&#152;ni©cia (TTL) up&#136;yn&#260;&#136; podczas tranzytu.

Odpowied« z 130.81.9.90: Limit czasu wyga&#152;ni©cia (TTL) up&#136;yn&#260;&#136; podczas tranzytu.

Odpowied« z 130.81.9.90: Limit czasu wyga&#152;ni©cia (TTL) up&#136;yn&#260;&#136; podczas tranzytu.

Odpowied« z 130.81.9.90: Limit czasu wyga&#152;ni©cia (TTL) up&#136;yn&#260;&#136; podczas tranzytu.



Statystyka badania ping dla 141.155.64.17:

    Pakiety: Wys&#136;ane = 4, Odebrane = 4, Utracone = 0 (0% straty),

Szacunkowy czas b&#136;&#260;dzenia pakiet&#728;w w millisekundach:

    Minimum = 0 ms, Maksimum = 0 ms, Czas &#152;redni = 0 ms

That was the Polish version of what I'm getting when I issue ping 141.155.64.17.

I just noticed I'm getting the same message when I try pinging .18, .19, .20 as well....

It's getting late.  I don't have to go anywhere if you don't have to.  If you do though, perhaps we can make an exception & you'd call me?  I'll send you my current # via e-mail.

>Odpowied« z 130.81.9.90: Limit czasu wyga
Something's odd because you should not be getting ttl expired from 130.81.9.90 . . .
You should be connected to the PIX and nothing else. Perhaps your laptop has a wireless connection, too?
I just don't see how you can possibly get a response from anything on any other network....

>Statystyka badania ping dla 141.155.64.17:
   Pakiety: Wys&#136;ane = 4, Odebrane = 4, Utracone = 0 (0% straty),
4 packets sent, 4 packets received, 0 packets lost = positive test in my book..

No, I don't speak fluent Polish, but the construct is the same no matter what language..

Les are you around?  I need you dude.  

When I try pinging the router which I am assuming is 141.155.64.17 from the other workstation (192.168.109.101) I'm getting Request timed out. 100% packet loss.

What is this "other workstation"' default gateway?

This is one of your posts from yesterday.  I just noticed the "typo in my post".  Sorry.  Please tell me where I should modify these settings (I think they should be changed on the router)

I am guessing that both the router & the pix are configured with the same IP's.  i may be wrong.  

>LAN      141.155.64.16/28 (16 IPs, 13 usable)

>ip address 141.155.64.16 255.255.255.240
typo in my post:

   ip address 141.155.64.16 255.255.255.240
Should be:
   ip address 141.155.64.17 255.255.255.240

.16 is the network ID
.17 is the 1st useable IP
.17 is the default gatewy of the above PIX config

why .24 mask?
/28 = .240 mask

default gateway is the same on the laptop 192.168.109.1 as on the desktop computer

Please take a look at the configs for both router & firewall if you can.

LAN      141.155.64.16/28 (16 IPs, 13 usable)
WAN     68.160.89.137 (Verizon side)
             68.160.89.138 (customer side) subnet mask: 255.255.255.252
 
DNS     151.202.0.84 & 151.202.0.85  


ROUTER CONFIG:
Using 1334 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname C1841
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$LJWa$Fxcu/ZoJbT6Ei6.G9yLc81
enable password 7 070228085A060902021C5A
!
no aaa new-model
!
resource policy
!
clock timezone est -5
clock summer-time edt recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
ip domain name yourdomain.com
!
username cisco privilege 15 secret 5 $1$ZMSn$9/qJDaP00Ox8L8pvUknNs/
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
 ip address 141.55.64.17 255.255.255.240
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address 68.160.89.137 255.255.255.252
!
ip classless
ip route 0.0.0.0 0.0.0.0 68.160.89.138
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
control-plane
!
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input none
!
ntp server 128.59.16.20 prefer
end

Please take a look at the configs for both router & firewall if you can.

LAN      141.155.64.16/28 (16 IPs, 13 usable)
WAN     68.160.89.137 (Verizon side)
             68.160.89.138 (customer side) subnet mask: 255.255.255.252
 
DNS     151.202.0.84 & 151.202.0.85  


PIX CONFIG:

: Written by enable_15 at 19:37:50.004 EST Thu Dec 31 1992
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password K9GiZEzzMZhapmAG encrypted
passwd Ss0X3CJMVgJ1TMrm encrypted
hostname PIX506
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit icmp any any
access-list no_nat permit ip 192.168.109.0 255.255.255.0 192.168.122.0 255.255.2
55.0
access-list VPN_splitTunnelAcl permit ip 192.168.109.0 255.255.255.0 192.168.122
.0 255.255.255.0
access-list Outside_dynamic permit ip 192.168.109.0 255.255.255.0 192.168.122.0
255.255.255.0
pager lines 24
logging on
logging timestamp
logging buffered informational
mtu outside 1500
mtu inside 1500
ip address outside 141.155.64.18 255.255.255.240
ip address inside 192.168.109.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL 192.168.123.200-192.168.123.254
pdm location 192.168.122.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list no_nat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 141.155.64.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
ntp server 192.5.41.41 source outside prefer
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.109.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address Outside_dynamic
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup VPN3000 address-pool VPNPOOL
vpngroup VPN3000 split-tunnel VPN_splitTunnelAcl
vpngroup VPN3000 idle-time 1800
vpngroup VPN3000 password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.109.100-192.168.109.254 inside
dhcpd dns 151.202.0.84 151.202.0.85
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
username taki1gostek password ywjI7D/HbZsdqCg8 encrypted privilege 15
terminal width 80
Cryptochecksum:7c1420587cc828165edccba1088a17f6
PIX506(config)#

I see the disconnect...
>interface FastEthernet0/0
  ip address 141.55.64.17 255.255.255.240
 
Pix is
 IP address 140.155.64.18

What should it be?
141.155.64.x ?
140.155.64.x ?
141.55.64.x ?

Just make sure both the roter and pix are the same....
 

I'm sorry I can't understand your question...  What do you need me to do?  

Back to basics:

LAN      141.155.64.16/28 (16 IPs, 13 usable)
WAN     68.160.89.137 (Verizon side)
             68.160.89.138 (customer side) subnet mask: 255.255.255.252
 
DNS     151.202.0.84 & 151.202.0.85  

If I understand it correctly, the router should be assigned 141.155.64.17 and the pix 141.155.64.18?

Les, I am honestly ready to do about anything to make sure this thing is up and running.  A lot of stuff is on the line for me if I can't get that office up tomorrow.  Can I at least get your yay or nay on whether I will be able to rely on you through the reminder of the evening to make sure that everything's configured right?

Please let me know.  I'm wondering whether I should start devising plan B, i.e. putting everything off until I have the equipment preconfigured and that it will work...

I am in Cisco PIX Device Manager 3.0 right now and i'm viewing Configuration/Hosts/Network Tab and I can see that the Outside interface says the following:

outside:any
141.155.64.16
    outside 141.155.64.18
192.168.122.0
vpnpool 192.168.123.192

is the 141.155.64.16 setting correct?

Please repond Les.

I finally figured it out!

Things didn't work because the router was misconfigured with 141.55.64.17 as its IP address (it's supposed to be 155 not 55)!

How else can I verify that everything's running fine?

I will get in touch with you tomorrow if something fails to work.  

Good luck!
I lost my cable internet for about 8 hours last night. Big wreck down the street knocked down a telephone pole.
I'll keep watching my email..

Up and running.  Total Plug & Play!!!!

Thanks!

I will be doing VPN testing right now and will try to figure out what ACL's I'll have to create.

Thanks THANK YOU THANK YOU THANK YOU!!!!

I will follow up with an update and/or question once I have any.

That's really good news!
Email me the password you set for the VPN3000 group and I can help test..

I have not been able to connect using the CISCO VPN client.  I had went into PDM and created a new PPTP (windows) VPN profile, created a local user name and was able to get in fine.  

What IP & username should I be using with the VPN client?  I would prefer to use that instead of windows' PPTP.  Are the VPN client default settings fine?

Once a user is connected to the network, what can they do being that they're in the VPNPOOL of IP addresses that are different from their office workstations?  What's the recommended way for them to connect to their workstations?  RDP?  

Will they be able to RDP into their workstation if they're on a different, VPNPOOL subnet?

sent you an e-mail

>What IP & username should I be using with the VPN client?
outside IP of the PIX
Username (group name) = VPN3000
Password =
   vpngroup VPN3000 password ******** <== whatever you put here...

This username with the PW you sent does not work:
My client gets this error:
Hash verification failed... may be configured with invalid group password.

I have to download a hyper terminal client on the win2k3 machine.  I will let you know as soon as i've assigned a pass.

I changed the password (sent to you in e-mail)

Now i'm getting somewhere but still not there yet

Cisco Systems VPN Client Version 4.8.01.0300
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1      09:37:38.046  06/26/06  Sev=Warning/3      IKE/0xA3000029
No keys are available to decrypt the received ISAKMP payload

Any ideas?  I can't leave here until VPN is configured right....   are you around?

Add me as a username - lrmoore - and give me a password. I can access the GUI from here and help you out.
Email me the password.
I can get your emails but cannot respond to them from where I am..

Have faith, we'll get you going.

E-Mail Sent.  PDM in with the username & password I had set for you.

Works for me. Prompts for username/password.
Using local username/pw data

Gotta run to meeting...

What user name and password should users be entering when it prompts for the user name and password?  It just worked for me too...  

Can users RDP into their workstations after they connect via VPN?  Please let me know as soon as you can.

Whatever username/pass you enter for them just like you did yours and mine.
Yes, users can certainly RDp to their desktops..
 

But what usernames and passwords should users use?  Do they have to enter one into the second prompt, i.e. VPN3000 & password and then RDP?  

Should I have to create user names and passwords for all users that want to VPN into the network or will VPN3000 username take care of that?

I have a Linux box that I have to set up on the PIX.

Public IP 141.155.64.19
Private IP 192.168.109.200
Enable Ports 22 & 8657 UDP & TCP for both, inside and outside.
Deny all other ports.

Any pointers on setting up the ACL?  I will be able to take this example and take care of any future servers, i.e. exchange, etc.. that they'll add to the network.

You are my god.

When I VPN into the network, how come I can't ping the gateway 192.168.109.1?

>Should I have to create user names
You have 2 easy options.
1) go ahead and create the username/passwords
2) remove this line from the PIX config:
   crypto map outside_map client authentication LOCAL
That will stop the 2nd prompt for username pass and just needs the VPN3000 password.

>When I VPN into the network, how come I can't ping the gateway 192.168.109.1
Because that is the way the pix is designed. You might be able to ping it if you go into Configuration | Administration | Management Access and select the Inside as a management access interface..


 

>Public IP 141.155.64.19
Private IP 192.168.109.200
Enable Ports 22 & 8657 UDP & TCP for both, inside and outside.
Deny all other ports.

static (inside,outside) 141.155.64.19 192.168.109.200 netmask 255.255.255.255
access-list outside_in permit icmp any any
access-list outside_in permit tcp any host 141.155.64.19 eq 22
access-list outside_in permit udp any host 141.155.64.19 eq 22
access-list outside_in permit tcp any host 141.155.64.19 eq 8657
access-list outside_in permit ucp any host 141.155.64.19 eq 8657
access-list outside_in in interface outside

Notice that I added the permit icmp so this new acl replaces your acl "icmp" that was in there for test purposes only.
You will build off of this outside_in acl for any other hosts/services that you want to add.
There is no requirement to deny all else because it only permits what you specify and nothing else.

you want to be very careful on what you block from inside going out. Suggest not blocking anything to start with.

[no] access-list <id> [line <line-num>] deny|permit icmp
      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
      [<icmp_type> | object-group <icmp_type_obj_grp_id>]
      [log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed

think you'll be able to log in via PDM to see what's wrong with the set of CLI commands?  i'm getting an error when I do access-list outside_in in interface outside

I'm leaving now, we'll be able to take care of anything else when I get back to Mass.

Thanks for your help.  I'll shoot you an e-mail when I get back around 8-9PM if traffic's ok.

In the meantime can you see what the problem was with the ACL?

Thanks

access-group outside_in in interface outside

It's already there.... That was my bad...
"access-group" to apply to the interface

If I try to SSH to that IP address, I get prompted for a username....

Good job!