Solved

enter to pix 525 located after cisco router 2800 from outside network

Posted on 2006-11-19
33
879 Views
Last Modified: 2008-09-05
hi
now i can enter to my router remotly from outside of our company using telnet 62.68.65.1
i wnat to enter to pix which is after my router remotly how i can enter to pix (pix ip 172.16.100.2)
or if i wnat to enter to any other device in my network how i can do that
my network map  with ip is
router with ip 62.68.65.1 connect to
pix 525 with ip 172.16.100.2 connect to
cisco switch with ip 172.16.100.2

thanks
0
Comment
Question by:nasemabdullaa
  • 17
  • 9
  • 4
  • +2
33 Comments
 

Author Comment

by:nasemabdullaa
ID: 17974538
hi
i mean enter to pix from outside of our company
0
 
LVL 3

Expert Comment

by:Skyccord
ID: 17974699
Nasemabdullaa ,
Good morning, the main question here is how many IP address do you have allocated to you by your ISP.  A typical setup includes more than one and let me explain why.  Your Router is usual the "gateway" to the internet for your router & firewall device.  So let's say your gateway IP is something like 69.157.100.9 and the next group of public IP's given to you by your provider is  69.157.100.10 - .14.  You would assign this entire block to your Cisco PIX Firewall which will then "control" the assignments of these IP's.  Just need some more information.
0
 

Author Comment

by:nasemabdullaa
ID: 17974746
hi
i have 64 public ip from 62.68.65.1 to 62.68.65.64
iam use from ip 62.68.65.1 to 62.68.65.44 for router ip and for nat

thanks
0
 
LVL 5

Expert Comment

by:WGhen
ID: 17974753
Yup,  Need to obtain and assign a public IP to the firewall.
Probably then set up Cisco VPN (which 525 is already able to run), and free clent at home end.
Telnet is in ClearText and therefor BAAAAAAD!

WGhen
0
 
LVL 5

Expert Comment

by:WGhen
ID: 17974830
Perform the NAT translations with the PIX, not the router.  Use the router only to connect to the ISP.  Both router and PIX should have public addresses.  Anything inside the firewall has a private address, everything outside the firewall has one single global public address (xlate table in Pix keeps track of all this) except web servers or whatever you might want visible to the world. Those you would put in a DMZ on a seperate interface in the pix and they would use other addresses from your block of 64.

Once connected to the PIX with VPN tunnel, your traffic will be encrypted, and you will have an address internal to you work network thus allowing telnet to all your internal routers and switches, remote console to servers, ftp servers, etc. etc. etc.
0
 

Author Comment

by:nasemabdullaa
ID: 17974870
hi
thanks for your reply
iam using nat in pix
iam try to made simple VPN connection (remot user but i do not how i asked many question in this filed but i do not get answer )
iam try to use windows server 2003 remote access but i do not know how its work with pix
i do not know made configuration of pix for vpn or remote access from vpn
i am use GUI in pix

thanks
0
 
LVL 3

Expert Comment

by:Skyccord
ID: 17974900
What kind of router are you running so I can provide you with appropriate configuration.
0
 

Author Comment

by:nasemabdullaa
ID: 17974919
hi
my router is cisco 2800
and pix is 525
you can find i put many question in same field but i do not get answer
can you gave me VPN connection for this
i have windows server 2003 in both site
and i have cisco 2800 in one site and other site is direct (ip for server is 82.205.129.40)
can i made vpn
thanks
0
 

Author Comment

by:nasemabdullaa
ID: 17974940
hi
this is the problem
 have windows 2003 server with IP 172.16.14.130 refer to public 62.68.65.1 (server 1) nat in pix firewall
i want to made simple VPN connection between two site (windows 2003 server VPN) or cisco VPN
network map in site 1
modem connect to router cisco 2800 connect topix 525 connect to core switch (layer 3 switch)connect to 4 distrbution switch  each distrbution switch connect to 10 access switch cisco 2950 then connect to my server

site one
router cisco 2800
public ip 62.68.65.1
internal network 172.16.0.0
(14 VLAN) (network from 172.16.2.0,.....to 172.16.14.0)

site two
public ip 82.205.129.40 for windows 2003 (server 2)
no VLAN

how i can do that
i want the user from site one enable to enter the shearing folder in site 2 and from site 2 to enter to site1
can i get simple configuration for this

0
 
LVL 5

Expert Comment

by:WGhen
ID: 17974973
The IP address you provided for the Pix is a private address.  What is it's public address?
Do you have some internal access server like TACACS, Radius etc that will authenticate a VPN user.
Setting up a reliable VPN can be tricky but is the safe way to do it.  BTW, what I haven't told you is that it is very easy to allow telnet to one of your internal routers instead of the external one, but unsafe to do.  That also requires a public IP on the pix.

WGhen
0
 

Author Comment

by:nasemabdullaa
ID: 17974990
hi
>>> What is it's public address
62.68.65.3

>>>Do you have some internal access server like TACACS, Radius
no

i want to made VPN to allow user to see the share file in server


thanks
0
 
LVL 5

Expert Comment

by:WGhen
ID: 17975012
OK,
At first your question sounded like you wanted to reach you network from home.
Now it sounds like you want a tunnel between two sites.  You don't mention what internal scheme you use for addresses at site two.

Below is a legthy (sorry) example of how to make this tunnel.  Adapt the addresses to your addresses.  Once you build the tunnel it could all be one network, or two seperate networks with static routes between them.

WGhen

Headquarters PIX
 
HQPIX(config)#show run
PIX Version 7.0(0)102
names
!
interface Ethernet0
description WAN interface
nameif outside
security-level 0
ip address 172.17.63.229 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname HQPIX
domain-name cisco.com
ftp mode passive
clock timezone AEST 10
access-list 100 extended permit ip any any
access-list 150 extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
asdm image flash:/asdmfile.50073
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.1.0 255.255.255.0
access-group 100 in interface inside
route outside 0.0.0.0 0.0.0.0 172.17.63.230 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
 sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partner protocol tacacs+
username cisco password 3USUcOPFUiMCO4Jk encrypted
http server enable
http 10.1.1.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
crypto ipsec transform-set avalanche esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec df-bit clear-df outside
crypto map forsberg 21 match address nonat
crypto map forsberg 21 set peer 172.17.63.230
crypto map forsberg 21 set transform-set avalanche
crypto map forsberg interface outside
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group 172.17.63.230 type ipsec-l2l
tunnel-group 172.17.63.230 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map asa_global_fw_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
!
service-policy asa_global_fw_policy global
Cryptochecksum:3a5851f7310d14e82bdf17e64d638738
: end
SV-2-8#  

Branch Router
 
BranchRouter#show run
Building configuration...
 
Current configuration : 1719 bytes
!
! Last configuration change at 13:03:25 AEST Tue Apr 5 2005
! NVRAM config last updated at 13:03:44 AEST Tue Apr 5 2005
!
version 12.2
service timestamps debug datetime msec
service timestamps log uptime
no service password-encryption
!
hostname BranchRouter
!
logging queue-limit 100
logging buffered 4096 debugging
!
username cisco privilege 15 password 0 cisco
memory-size iomem 15
clock timezone AEST 10
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
!
!
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 172.17.63.229
!
!
crypto ipsec transform-set sharks esp-des esp-md5-hmac
!
crypto map nolan 11 ipsec-isakmp
set peer 172.17.63.229
set transform-set sharks
match address 120
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Ethernet0/0
ip address 172.17.63.230 255.255.255.240
ip nat outside
no ip route-cache
no ip mroute-cache
half-duplex
crypto map nolan
!
interface Ethernet0/1
ip address 10.2.2.1 255.255.255.0
ip nat inside
half-duplex
!
ip nat pool branch 172.17.63.230 172.17.63.230 netmask 255.255.255.0
ip nat inside source route-map nonat pool branch overload
no ip http server
no ip http secure-server
ip classless
ip route 10.1.1.0 255.255.255.0 172.17.63.229
!
!
!
access-list 120 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 permit ip 10.2.2.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 130
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

0
 

Author Comment

by:nasemabdullaa
ID: 17975034
hi
thanks for your reply
i want to reach each network from other
but i want to reach pix from home
thanks
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 17975366
Hi!
Before we proceed with the VPN configuration (where you can choose between a couple of solutions) let's figure your WAN configuration first.
What is the IP, Mask and Gateway of your WAN interface on the 2800 router?
I am asking this because it is not clear at the moment whether the WAN interface is using on of the 64 IP-s or it is using a separate public IP/Mask 30.

Dean
0
 

Author Comment

by:nasemabdullaa
ID: 17979230
hi
thanks for your reply
this is my pix configuration

User Access Verification------------------------

Password:---------
Core>telnet 172.16.100.2                        
Trying 172.16.100.2 ... Open!
line con 0          

   


User Access Verification                        

Password:        
Password:        
Type help or '?' for a list of available commands.                                                  
PIX> sh run          
Type help or '?' for a list of available commands.                                                  
PIX> enable          
Password: *****              
PIX# sh run          
: Saved      
:
PIX Version 6.3(5)                  
interface ethernet0 auto                        
interface ethernet1 auto                        
interface gb-ethernet0 1000auto shutdown                                        
interface gb-ethernet1 1000auto shutdown                                        
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
passwd 2KFQnbNIdI.2KYOU encrypted                                
hostname PIX            
domain-name Cisco                
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tft                
names    
access-list acl_out permit icmp any any                                      
access-list inside_outbound_nat0_acl permit ip any 172.16.2.96 255.255.255.240                                                                              
access-list OutsideIn permit tcp any host 62.68.65.43 eq www                                                            
access-list OutsideIn permit tcp any host 62.68.65.43 eq smtp                                                            
access-list OutsideIn permit tcp any host 62.68.65.43 eq ftp                                                            
access-list OutsideIn permit tcp any host 62.68.65.43 eq telnet                                                              
access-list OutsideIn permit tcp any host 62.68.65.43 eq 3389                                                            
access-list OutsideIn permit tcp any host 62.68.65.43 eq 69                                                          
access-list OutsideIn permit tcp any host 62.68.65.43 eq ssh                                                            
access-list OutsideIn permit tcp any host 62.68.65.50 eq www                                                            
access-list OutsideIn permit tcp any host 62.68.65.50 eq smtp                                                            
access-list OutsideIn permit tcp any host 62.68.65.50 eq ftp                                                            
access-list OutsideIn permit tcp any host 62.68.65.50 eq telnet                                                              
access-list OutsideIn permit tcp any host 62.68.65.50 eq 3389                                                            
access-list OutsideIn permit tcp any host 62.68.65.50 eq 69                                                          
access-list OutsideIn permit tcp any host 62.68.65.50 eq ssh                                                            
pager lines 24              
mtu outsid        
mtu inside 1500              
mtu intf2 1500              
mtu intf3 1500              
ip address outside 62.68.65.3 255.255.255.192                                            
ip address inside 172.16.100.2 255.255.255.0                                            
no ip address intf2                  
no ip address intf3                  
ip audit info action alarm                          
ip audit attack action alarm                            
no failover          
failover timeout 0:00:00                        
failover poll 15                
no failover ip address outside                              
no failover ip address inside                            
no failover ip address intf2                            
no failover ip address intf3                            
pdm location 172.16.2.70 255.255.255.255 inside                                              
pdm location 172.16.2.200 255.255.255.255 inside                                                
pdm location 172.16.2.0 255.255.255.0 inside                                            
pdm location 172.16.3.0 255.255.255.0 inside                                            
pdm location 172.16.4.0 255.255.255.0 inside                                            
pdm location 172.16.5.0 255.255.255.0 inside                                            
pdm location 172.16.6.0 255.255.255.0 inside                                            
pdm location 172.16.7.0 255.255.255.0 inside                                            
pdm location 172.16.8.0 255.255.255.0 inside                                            
pdm location 172.16.9.0 255.255.255.0 inside                                            
pdm location 172.16.10.0 255.255.255.0 inside                                            
pdm location 172.16.11.0 255.255.255.0 inside                                            
pdm location 172.16.12.0 255.255.255.0 inside                                            
pdm location 172.16.13.0 255.255.255.0 inside                                            
pdm location 172.16.14.0 255.255.255.0 inside                                            
pdm location 172.16.20.0 255.255.255.0 inside                                            
pdm location 172.16.30.0 255.255.255.0 inside                                            
pdm location 172.16.40.0 255.255.255.0 inside                                            
pdm location 172.16.50.0 255.255.255.0 inside                                            
pdm location 172.16.110.2 255.255.255.255 inside                                                
pdm location 172.16.120.2 255.255.255.255 inside                                                
pdm location 62.68.65.43 255.255.255.255 outside                                                
pdm location 62.68.65.44 255.255.255.255 outside                                                
pdm location 172.16.2.96 255.255.255.240 outs                                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 62.68.65.4-62.68.65.42                                        
global (outside) 1 62.68.65.60                              
nat (inside) 0 access-list inside_outbound_nat0_acl                                                  
nat (inside) 1 172.16.2.0 255.255.255.0 0 0                                          
nat (inside) 1 172.16.3.0 255.255.255.0 0 0                                          
nat (inside) 1 172.16.4.0 255.255.255.0 0 0                                          
nat (inside) 1 172.16.5.0 255.255.255.0 0 0                                          
nat (inside) 1 172.16.6.0 255.255.255.0 0 0                                          
nat (inside) 1 172.16.7.0 255.255.255.0 0 0                                          
nat (inside) 1 172.16.8.0 255.255.255.0 0 0                                          
nat (inside) 1 172.16.9.0 255.255.255.0 0 0                                          
nat (inside) 1 172.16.10.0 255.255.255.0 0 0                                            
nat (inside) 1 172.16.11.0 255.255.255.0 0 0                                            
nat (inside) 1 172.16.12.0 255.255.255.0 0 0                                            
nat (inside) 1 172.16.13.0 255.255.255.0 0 0                                            
nat (inside) 1 172.16.14.0 255.255.255.0 0 0                                            
nat (inside) 1 172.16.20.0 255.255.255.0 0 0                                            
nat (inside) 1 172.16.30.0 255.255.255.0 0 0                                            
nat (inside) 1 172.16.40.0 255.255.255.0 0 0                                            
nat (inside) 1 172.16.100.0 255.255.255.0 0 0                                            
static (inside,outside) 62.68.65.43 172.16.110.2 netmask 255.255.255.255 0 0                                                                            
static (outside,inside) 172.16.110.2 62.68.65.43 netmask 255.255.255.255 0 0                                                                            
static (inside,outside) 62.68.65.44 172.16.120.2 netmask 255.255.255.255 0 0                                                                            
static (outside,inside) 172.16.120.2 62.68.65.44 netmask 255.255.255.255 0 0                                                                            
static (inside,outside) 62.68.65.50 172.16.14.130 netmask 255.255.255.255 0 0                                                                            
access-group OutsideIn in interface outside                                          
conduit permit icmp any any                          
conduit permit tcp host 62.68.65.43 eq www any                                              
conduit permit tcp host 62.68.65.44 eq www any                                              
conduit permit tcp host 62.68.65.44 eq po                                        
conduit permit tcp host 62.68.65.44 eq imap4 any                                                
conduit permit tcp host 62.68.65.44 eq smtp any                                              
rip inside passive version 1                            
route outside 0.0.0.0 0.0.0.0 62.68.65.1 1                                          
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout sip-disconnect 0:02:00 sip-invite 0:03:00                                                
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server TACACS+ max-failed-attempts 3                                        
aaa-server TACACS+ deadtime                        
aaa-server RADIUS protocol radius                                
aaa-server RADIUS max-failed-attempts 3                                      
aaa-server RADIUS deadtime 10                            
aaa-server LOCAL protocol local                              
http server enable                  
http 172.16.2.70 255.255.255.255 inside                                      
http 172.16.2.200 255.255.255.255 inside
http 172.16.130.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet 172.16.100.0 255.255.255.0 inside
telnet 172.16.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username nasem password *********
dhcpd address 172.16.100.50-172.16.100.225 inside
dhcpd dns 172.16.2.5
dhcpd lease 6000
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:8807df1338fbbaf410264f652b097b1f
: end
PIX#

and router configuration

User Access Verification                        

Password:        
MOO_Router#sh run                
Building configuration...                        

Current configuration : 4238 bytes                                  
!
version 12.4            
service timestamps debug datetime msec                                      
service timestamps log datetime msec                                    
no service password-encryption                              
!
hostname MOO_Router                  
!
boot-start-marker                
boot-end-marker              
!
logging buffered 51200 warnings                              
!
no aaa new-model                
!
resource policy              
!
ip subnet-zero              
ip wccp web-cache                
!
!
ip cef      
!
!
ip domain name yourdomain.com                            
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3428832341                                              
 enrollment selfsigned                      
 subject-name cn=IOS-Self-Signed-Certificate-3428832341                                                      
 revocation-check none                      
 rsakeypair TP-self-signed-3428832341                                    
!
!
crypto pki certificate chain TP-self-signed-3428832341                                                      
 certificate self-signed 01                          
  30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030                                                                        
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274                                                                        
  69666963 6174652D 33343238 38333233 3431301E 170D3036 30383037 30383336                                                                        
  31325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649                                                                        
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34323838                                                                        
  33323334 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281                                                                        
  8100DF09 EF8B3FE6 22DEA7A7 877D2280 0E7134D9 743A938E A6620514 93B4C3DD                                                                        
  3DA79889 020ECB50 0A6B0ADE 13207047 5ACD2233 1F8C3029 DF229779 A7C3CD                                                                      
  B07B13BC C08E8188 536BD216 DF1835BE A8674BD3 EB413B5E C12268B4 68EC49B2                                                                        
  478238A1 6253F483 EFBAF4FE 7DCF1F22 58D6A23C 8838379A E6F59FC9 B98FF3EC                                                                        
  A6B10203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603                                                                        
  551D1104 1D301B82 194D4F4F 5F526F75 7465722E 796F7572 646F6D61 696E2E63                                                                        
  6F6D301F 0603551D 23041830 168014B8 6C766E61 24F524B8 0CDFAA90 4A8EC8EE                                                                        
  50E49230 1D060355 1D0E0416 0414B86C 766E6124 F524B80C DFAA904A 8EC8EE50                                                                        
  E492300D 06092A86 4886F70D 01010405 00038181 00A594B1 92EA4840 65A6C6                                                                      
  00ED1AFC 9E6367F8 EA37E120 00512E02 C12429ED FDDB77AB 133A752C B780E89D                                                                        
  9D251874 B3EAF522 00C4DDB6 106F01C9 FFFB3BE6 7D825173 50CAF20F 5CD0D278                                                                        
  EC75AD2F 58413A69 529E376C E4361D9E 866C2EA6 EA72602F 62D931A6 C8CA9F09                                                                        
  F9FFBAFD 507E7B1E CE94B928 B2523322 DACB51BC 26                                                
  quit      
username cisco privilege 15 secret 5 $1$WkQL$OxhoBFeR.7oK35DlYpMxS/                                                                  
username moo privilege 15 secret 5 $1$MAfd$lBLqf2PQGuz8sOEKoPIBw0                                                                
!
!
!
!
!
!
interface GigabitEthernet0/0                            
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$                                                      
 ip address 62.68.65.1 255.255.255.192                                      
 ip wccp web-cache redirect out                              
 duplex auto            
 speed auto          
!
interface GigabitEthernet0/1                            
 ip address 192.168.0.1 255.255.255.0                                    
 duplex auto            
 speed auto          
!
interface Serial0/0/0                    
 ip address 172.16.197.2 255.255.255.0                                      
 no ip route-cache cef                      
 no ip route-cache                  
 no ip mroute-cache                  
 load-interval 30                
 no keepalive            
 no fair-queue              
 ignore dcd          
 no cdp enable              
!
interface Content-Engine1/0                          
 ip unnumbered GigabitEthernet0/0                                
 service-module ip address 62.68.65.2 255.255.255.192                                                    
 service-module ip default-gateway 62.68.65.1                                            
!
ip default-gateway 172.16.197.2                              
ip classless            
ip route 0.0.0.0 0.0.0.0 172.16.197.1                                    
ip route 62.68.65.2 255.255.255.255 Content-Engine1/0                                                    
!
!
ip http server              
ip http authentication local                            
ip http secure-server                    
ip http timeout-policy idle 5 life 86400 requests 10000                                                      
!
!
!
!
!
control-plane            
!
!
!
!
!
!
!
!
!
banner login ^C              
-----------------------------------------------------------------------                                                                      
Cisco Router and Security Device Manager (SDM) is installed on this device.                                                                          
This feature requires the one-time use of the username "cisco"                                                              
with the password "cisco".                          

Please change these publicly known initial credentials using SDM or the IOS CLI.                                                                                

Here are the Cisco IOS commands.                                

username <myuser>  privilege 15 secret 0 <mypassword>                                                    
no username cisco                

Replace <myuser> and <mypassword> with the username and password you want to use                                                                                
.

For more information about SDM please follow the instructions in the QUICK START                                                                                

GUIDE for your router or go to http://www.cisco.com/go/sdm                                                          
-----------------------------------------------------------------------                                                                      
^C  
!
line con 0          
 password floor
 login
line aux 0
line 66
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output all
line vty 0 4
 privilege level 15
 password floor
 login
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

MOO_Router#

what must i do to configure VPN or remote access
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 17984999
Well, I think that I understand the configuration. Please, correct me if I am wrong but it looks like this:

http://www.netometer.net/clients/diagrams/nasem.html

There are some duplicate commands which can be removed and improvements to be done.
All your traffic to the internet goes out Serial 0/0/0 of the router and hits the router  172.16.197.1. These are private IP addresses. You need to provide more info about your Internet connection before I can recommend you a VPN solution.

Best Regards,

Dean
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 17985027
One more question.
What is the network device which you are using to connect to the Internet at the remote office?

Dean
0
 

Author Comment

by:nasemabdullaa
ID: 17985956
hi
this is all configuration i sent to you
configuration in pix and router
only one think more
my pix internal interface ip 172.16.100.2 connect to core switch (cisco switch 4503 )with ip 172.16.100.1 then this switch connect to 4 distrbution switch (layer 3 switch using to routing between access switch) (i have 40 access switch each 10 access switch connect to one distrbution switch )
management ip for
distrbution switch 1 ip 172.16.10.1
distrbution switch 2 ip 172.16.20.1
distrbution switch 3 ip 172.16.30.1
distrbution switch 4 ip 172.16.40.1
then access switch 2950 cisco connect to these distrbution switch with
ip 172.16.2.0
ip 172.16.3.0.................172.16.14.0


in site two i have server connect direct to modem with ip for server 82.205.129.40 netmask 255.255.255.192
or i can connect modem to dlink router then to server

i need to see the share file in each site or i can enter remotly (remote user)

thanks
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 17987066
My question is about the internet connection at the main site?

Dean
0
 

Author Comment

by:nasemabdullaa
ID: 17987367
hi
thanks for your reply
my router connect to modem this all i have it (iam new in my our company)
can you tell me please what other information you need
please tell me how i can get it
the above configuration i get it from pix device and router
and the internet its work
please tell me what you need and how i can get it to gave to you

thanks
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 17987880
Well, first put the server at the remote site behind the DLink router (it is safer that way).
Second, how many machines which need VPN access do you have at the remote site?

Dean
0
 

Author Comment

by:nasemabdullaa
ID: 17987915
ok
thanks for your reply
i have 7 Pc to connect to VPN

thanks
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 17987950
Do you have currently Internet access at the central site and at the remote site?
0
 

Author Comment

by:nasemabdullaa
ID: 17987965
i can enter to central site now (site one cisco site)
0
 

Author Comment

by:nasemabdullaa
ID: 17987973
iam in central site
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 17988014
I did not understand - do you have internet access at the moment at the central and at the remote site?

Dean
0
 

Author Comment

by:nasemabdullaa
ID: 17988049
hi
no i mean iam in location of site 1 and the internet is working on it
and i can enter to any device on site 1 to configure it

but in site two there is other person i can call him
0
 

Author Comment

by:nasemabdullaa
ID: 17988115
hi
thanks for your reply
can you tell me what must i do in site one (in pix and routrer)
i can do it now

thanks
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 17988194
Based on the configuration you describe you need a Site-to-Site VPN tunnel.
I think the best approach is to end the tunnel on the central site at the PIX. The remote site has a DLink router and I don’t think it is a good idea if the DLink router supports this option at all to end the tunnel on it. This leaves only one option – to end the tunnel behind the DLink – on the server. You have two options for the VPN tunnel – PPTP or IPSEC. PPTP is weak and as you have PIX, IPSEC should be the choice for you. The client machines in the office should be pointing to the server which ends the VPN tunnel.

Dean
0
 

Author Comment

by:nasemabdullaa
ID: 17988221
hi
thanks for your reply
but how i can do that
do you have any simple configuration for my problem (configuration of pix and router)

thanks
0
 

Author Comment

by:nasemabdullaa
ID: 17988247
ok
can i put file in server in site 2 (dlik site) and share this file to see it in site one
i mean the user in site one (cisco site) can see the file in server in site 2
and put file in server in site 1 and share it (cisco site) and see it from site 2
thanks
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 17988499
DISCLAIMER from the Moderators: the links in this post require a paid registration to view.

Here is a very good example (it includes the actual configs of the PIX, router and Windows server):

http://www.netometer.net/downloads/tools/ciscowinvpn.pdf

Best Regards,

Dean

PS:I'll be glad to help you if you have problems configuring the PIX and the server
0
 
LVL 5

Accepted Solution

by:
Netminder earned 0 total points
ID: 22406310
Because the site requires a paid subscription to view the file, it is considered advertising, and no points may be awarded. The points have been refunded and the question closed.

Netminder
Site Admin
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now