Solved

PIX 501 won't connect to replacement DSL Router

Posted on 2007-03-24
17
609 Views
Last Modified: 2013-11-16
I am taking over tech support for a business that has 2 PIX 501's at 2 remote locations that connect the remote offices, via VPN, to HQ. One of the remote locations lost their DSL router, and the ISP sent them another. The Internet works from the DSL router to the PC, but not through the PIX. I am guessing I need to make changes to the PIX to get it to connect to the HQ VPN, but I can't figure out what needs changing.
It looks like the PIX is set to accept DHCP from the ISP, however when I connect a CAT5 from the DSL router to Int0 of the PIX, the link light doesn't light up (I tried a crossover too). If I plug Int0 into an available port on a LInksys router, and then plug the LInksys into the DSL modem, the PIX gets an IP from the Linksys, but still can't reach the Internet.

Could someone PLEASE review this PIX config and offer some ideas? I replaced a couple public IP addresses that were statically entered into the PIX with "not_sure_what_IP_this_is" becuase I'm not sure if is the pubic IP of HQ or maybe a public IP the remote location's ISP gave them? I do know that the PIX I'm working on has an internal IP of 192.168.13.x (192.168.13.1 being the inside interface's IP).

Also, when I try to access the PIX via PDM, the initial gui loads, but it hangs and gives a Java access denied error in the lower left field on the browser.

pix501# sho config        
nat (insi
: Saved0.0.0 0
: Written by enable_15 at 15:40:07.623 CDT Fri Apr 28 2006n_out in interface outside                                
PIX Version 6.3(4)ate 3:00:00      
interface ethernet0 100full1:00:00 half-closed 0:10:00
interface ethernet1 100full5 1:00:00                  
nameif ethernet0 outside security0                        
timeout h
nameif ethernet1 inside security100 sip_media 0:02:00                
enable password al3pfBxYEkoYSp1s encrypted  
timeout uauth 0:05:00 absolute        
passwd bqNmE9x6R38x7Mhn encryptedTACACS+ protocol tacacs+        
hostname pix501          
aaa-
domain-name johnrandy.com3                                
clock timezone CST -6ACS+ deadtime 10    
clock summer-time CDT recurringrver RADIUS protocol radius    
fixup protocol dns maximum-length 512er RADIUS max-failed-attempts 3      
fixup protocol ftp 2            
     
fixup protocol pptp 1723255.0 inside            
fixup protocol rsh 514
http 192.168.0.0 255
fixup protocol rtsp 554                      
fixup protocol sip 5060ion                    
fixup protocol sip udp 5060                    
snmp-s
fixup protocol skinny 2000                      
sn
no fixup protocol smtp 25                    
floo
fixup protocol sqlnet 1521  
sysopt connection perm
fixup protocol tftp 69              
crypto
names tran
name 192.168.12.0 john esp-sha-hmac          
name 192.168.13.0 randy
crypto i
name 192.168.11.0 officeS-MD5 esp-des esp-md5-hm
access-list in_out deny icmp any any echo-reply            
crypto ipsec transform-set ESP-3D
access-list in_out deny icmp any any unreachable                                        
       
logging buffered debugging    
isakmp key ********
logging trap notificationsk 255.255.255.255 no-xauth
logging facility 19                  
mtu outside 1500                
mtu inside 1500fig-mode      
ip address outside dhcp setroute retry 4      
isakmp policy 20 authentication
ip address inside 192.168.13.1 255.255.255.0    
isakmp policy 20 encryption 3des      
ip verify reverse-path in
                     
vpngroup montbrink default-domain montg
pdm location 192.168.0.0 255.255.0.0 inside                            
vpngroup mont
pdm location john 255.255.255.0 outside                                  
vpngrou
pdm location randy 255.255.255.0 outside            
vpngroup montbrink password ***
pdm location office 255.255.255.0 outsidetelnet 0.0.0.0 0.0.0.0 outside          
pdm logging warnings 100t 10.0.0.0 255.255.255.0
pdm history enable                  
arp timeout 14400out 5            
global (outside) 1 interfaceide                        
nat (inside) 0 access-list nonatsole timeout 0                

nat (inside) 1 0.0.0.0 0.0.0.0 0 08.13.130 inside                  
access-group in_out in interface outside 192.168.11.10 198.17                  
aaa-server TACACS+ max-failed-attempts 3 ethernet0 "outside" is up, line protoco
aaa-server TACACS+ deadtime 10                              
aaa-server RADIUS protocol radiuset, address is 0014.1cd2.25b4    
aaa-server RADIUS max-failed-attempts 3            
  MTU 1500 bytes, BW 10000
aaa-server RADIUS deadtime 10                            
aaa-server LOCAL protocol local20 bytes, 0 no buffer          
http server enable                  
http 0.0.0.0 0.0.0.0 outsideasts, 0 runts, 0 giants    
http randy 255.255.255.0 in          
                 
floodguard enablece resets        
sysopt connection permit-ipsec                  
        0 b
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac                        
        0 lost carrier, 0 no carr
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac(curr/max blocks): hardware (128/128) software (0/0)      

 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac  
        output queue (curr/max blocks): hardware (0/1) so
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac                  
interface ethernet1 "inside" is up, line
crypto map FWVPN 10 ipsec-isakmp                                
crypto map FWVPN 10 match address 100dress is 0014.1cd2.2                
crypto map FWVPN 1                
isakmp key ******** address not_sure_what_IP_this_is netmask 255.255.255.255 no-xauth no-con                  
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
fig-mode        
isakmp identity address                      
isakmp policy 20 authentication pre-share335 bytes, 0 underruns                  
isakmp policy 20 encryption 3des      0 output errors, 0 collisi
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup montbrink address-pool VPN
vpngroup montbrink default-domain johnrandy.com
vpngroup montbrink split-tunnel splitTunnelAcl
vpngroup montbrink idle-time 1800
vpngroup montbrink password ********
telnet 0.0.0.0 0.0.0.0 outside
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.13.100-192.168.13.130 inside
dhcpd dns 192.168.11.10 not_sure_what_IP_this_is
dhcpd wins 192.168.11.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain johnrandy.com
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:e35f74fd3d46302006bc910b1106bd3f
pix501#

Thank you!
0
Comment
Question by:Dopher
  • 9
  • 8
17 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 18786531
Please repost the PIX config.  It looks like there are remnants of the output of a "show interface" command mixed in with the posted PIX config.

Just as a quick way of diagnosing the java error for the PDM, issue the "show version" command and look at the version of PDM you have running.  It will say PIX Device Manger and give you a version.  If this version is earlier than 3.03, then this is why you're getting the error.  You need to upgrade to the latest version, whici is 3.04 for the most reliable PDM performance, but you need to upgrade to at least version 3.03 to access the PDM and get rid of the java security error.

Have you modified this config at all in your troubleshooting or is this the original config as you got it?
0
 

Author Comment

by:Dopher
ID: 18787119
Thanks for your quick responce! Here is another attempt at a sho config. The only think that is changed is the public IP addresses. I changed them to : "not_sure_what_ip_this_is" for security. I also changed the Domain Name. I didn't change this on the PIX config, only in this post. I have not changed the original config, on the PIX itself, at all. As for the PDM, it says "PIX Device Manager 3.0(2)" so I guess an upgrade needs to happen there.

: Written by enable_15 at 15:40:07.623 CDT Fri Apr 28 2006                    


  --------------------------------
PIX Version 6.3(4)------ha-        
interface ethernet0 100full                        
 
interface ethernet1 100fullte Internet eXchange FWVPN
nameif ethernet0 outside security0it full                          
nameif ethernet1 inside security100                                  
enable password al3pfBxYEkoYSp1s encrypted-------------------------------isakmp iden
passwd bqNmE9x6R38x7Mhn encrypted                                
hostname pix501              
domain-name montgomerybrinkman.comsa  
                        Cisc
clock timezone CST -6                    
clock summer-time CDT recurringl Version 6.3(4)bbles, 0 late c
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21res:                
fixup protocol h323 h225 1720 Disabledcy 20 has          
URL-filtering:
fixup protocol rtsp 554                      
fixup protocol sip 5060Inside Hosts:          
fixup protocol sip udp 5060                          
fixup protocol skinny 2000   Unlimited0 255.255.255.
no fixup protocol smtp 25                        
fixup protocol sqlnet 1521                      
IKE
fixup protocol tftp 69   10                
names    
name 192.168.12.0 brinkmanted (R) license.eout 5    
name 192.168.13.0 montgomery          
ssh 0.0.0.0 0.0
name 192.168.11.0 office************************
access-list in_out deny icmp any any echo-reply                                              
access-list in_out deny icmp any any unreachableole timeout 0                
  Compliance with
access-list in_out deny icmp a                            
access-list splitTunnelAcl permit ip any anys product may not be exported outside the U.
pager lines 24              
logging on          
logging timestamp      
  IP addr
logging standby, subnet mask 2
logging buffered debugging            
  either by
logging trap notificationss without PRIOR approval  
logging facility 19                  
mtu outside 1500    
pi  
  MTU
mtu inside 1500100000 Kbit ful
ip address outside dhcp setroute retry 4                      
  of Cisco Syste
ip address inside 192.168.13.1 255.255.255.0                                            
ip verify reverse-path interface inside            

  Persons outside the U.S
ip audit info action alarm                          
pdm location brinkman 255.255.255.0 outside            
  IP address 192.168        
pdm location montgomery 255.255.255.0 outsidetware - Restricted9  MAC: 0014.1cd2.25b4    
pdm location office 255.255.255.0 outside                          
Rights clause
pdm logging warnings 100d subparagraph          
pdm history enable                  
arp timeout 14400      
         
global (outside) 1 interface5134-1706                  
nat (inside) 0 access-list nonat.    
Allocated IP address = 192
nat (inside) 1 0.0.0.0 0.0.0.0 0 0.0, gateway = 192.1              
access-group in_out in interface outside                        
        0 babbl
timeout xlate 3:00:00 0                  
pix501#      




CISCO SYS
aaa-server TACACS+ deadtime 10  
p
Embedded BIOS Version 4.
aaa-server RADIUS protocol radius                                
aaa-server RADIUS max-failed-attempts 3nable p        
Compiled by morleeYSp1s
aaa-server RADIUS deadtime 10                  
16 MB RAM
aaa-server LOCAL protocol local            
pas  
Bus Dev Fu
http server enabless              Ir
http 0.0.0.0 0.0.0.0 outside                    
hostnam
http montgomery 255.255.255.0 inside00  00   1022   3000  Host Bridge  
isakmp enable outsideE28F640J3 @ 0xD8000na
isakmp key ******** address not_sure_what_IP_this_is netmask 255.255.255.255 no-xauth no-con      

  ---------------------------------------------------------            
fig-mode        
isakmp identity address      
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup montbrink address-pool VPN
vpngroup montbrink default-domain montbrink.com
vpngroup montbrink split-tunnel splitTunnelAcl
vpngroup montbrink idle-time 1800
vpngroup montbrink password ********
telnet 0.0.0.0 0.0.0.0 outside
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.13.100-192.168.13.130 inside
dhcpd dns 192.168.11.10 not_sure_what_IP_this_is
dhcpd wins 192.168.11.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain montbrink.com
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:e35f74fd3d46302006bc910b1106bd3f
pix501#
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18787202
You must be using HyperTerminal's scroll back buffer to copy and paste your config since there are other things embedded in your config that are not part of the config.  For instance,

interface ethernet1 100fullte Internet eXchange FWVPN

is not a valid command.  Can you copy and paste the config from a telnet or ssh session instead?  You'll need to open up telnet or ssh from your inside network (they're not currently in the config as allowed source networks).  Enter this command in the PIX and you should be able to go to a command prompt on a windows machine and type "telnet 192.168.13.1" and login to the PIX:

telnet 192.168.13.0 255.255.255.0 inside

This will allow any host on the 192.168.13.x network to telnet into the PIX as long as you have the access and enable passwords.  Please give this a shot and post the config again.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18787286
Here are a couple of things I will mention while waiting for a clean config post.

As you said, the PIX is configured to obtain its outside public IP address via DHCP.  Do you know if the DSL router is configured for routed mode or bridge mode?  If it's in bridge mode, then all it will do is pass traffic and it will not be able to give out DHCP addressing.  That would come upstream from the ISP if it's in bridge mode.

If you have both straight and crossover Ethernet cables, assuming they're good, then one of them will have to work on the PIX.  You mentioned that you couldn't get link on either cable.  Unless the PIX outside interface is shutdown, you should get link with one or the other assuming the cables are good and the DSL router is functioning properly.

Do you know if the public IP address, even though it's obtained via DHCP, is statically assigned by your ISP?  In other words, they may give you the IP address through DHCP, but they may give you the same one every time which essentially means that you have a public static.  While a static public address is not essential for VPN tunnel setup, it's much more secure and is a typical way of configuring VPN's.  If you have a static, do you know what it is?  Is the HQ VPN peer a PIX firewall as well?  If so, can you obtain a copy of the config to see if there is a public address configured in there for the remote site you're working on?  This may help us down the road in getting your tunnel back up.  However, until you get link and can try to get a DHCP address from the DSL router or upstream provider, I don't think we'll be able to go any further.
0
 

Author Comment

by:Dopher
ID: 18788241
Answers to your most recent inquiries: I believe ( and will confirm) that the new DSL router is in routed mode, they are using a large ISP, Qwest, and they don't put a router in bridged mode unless asked (and I don't even know if they'll do it then...). Becuase the original "bad" DSL router failed, I have no way of knowing how it was setup, bridged or routed. I'm assuming I want it bridged so the PIX can do all the work.

Currently I have the PIX in my office, and am testing it with a Cable Modem. Neither the stright through or crossover cable light up the Int0 on the PIX, however a straight through cable plugged directly into a Linksys or Buffalo Tech router not only light up Int0 but the PiX also gets an IP from either one. However, when I plug a PC into the PIX and then try to ping the Linksys or Buffalo router from the PC, it times out. The PIX isn't routing traffic to the Linksys or Buffalo. I even tried turning off the firewall on the Linksys and Buffalo, to no avail. I would assume that if my PC can get Internet connectivity while connected directly to the Linksys, and the PIX can get an IP from the working Linksys, if a PC is plugged into the PIX which is plugged into, and has an IP from, the Linksys, the PC should be able access the Internet or at least ping a known public IP out there. But it doesn't.

I know what you are saying about a Static IP supplied via DHCP, and I'm not sure at this point. I will find out. Also, I know HQ has a Cisco product, but I'll find out what model and get the config.

** I have to be a pain, upon entering telnet 192.168.13.0 255.255.255.0 inside, I get "ERROR: entry for address/mask = montgomery/255.255.255.0 exists". I try to do: "no telnet montgomery 255.255.255.0 inside" and write mem, so I can add the new commend you mentioned, but it won't save. Do I have the syntax wrong? At the risk of wasting more time and EE space, I did a show config in HyperTerm and copied and pasted each page before it went into the scroll back buffer. Not sure if this accomplishes what you need, but see below and let me know. You have been great so far, and I really appreciate it!


PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password al3pfBxYEkoYSp1s encrypted
passwd bqNmE9x6R38x7Mhn encrypted
hostname pix501
domain-name johnrandy.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.12.0 brinkman
name 192.168.13.0 montgomery
name 192.168.11.0 office
access-list in_out deny icmp any any echo-reply
access-list in_out deny icmp any any unreachable
access-list in_out deny icmp any any time-exceeded
access-list nonat permit ip montgomery 255.255.255.0 office 255.255.255.0
access-list 100 permit ip montgomery 255.255.255.0 office 255.255.255.0
access-list splitTunnelAcl permit ip any any
pager lines 24
logging on
logging timestamp
logging standby
logging buffered debugging
logging trap notifications
logging facility 19
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside 192.168.13.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 20.0.0.100-20.0.0.150
pdm location 10.0.0.0 255.255.255.0 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location brinkman 255.255.255.0 outside
pdm location montgomery 255.255.255.0 outside
pdm location office 255.255.255.0 outside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group in_out in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http montgomery 255.255.255.0 inside
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community strfnt
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map FWVPN 10 ipsec-isakmp
crypto map FWVPN 10 match address 100
crypto map FWVPN 10 set pfs group2
crypto map FWVPN 10 set peer not_sure_what_IP_this_is
crypto map FWVPN 10 set transform-set ESP-3DES-MD5
crypto map FWVPN interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup montbrink address-pool VPN
vpngroup montbrink default-domain johnrandy.com
vpngroup montbrink split-tunnel splitTunnelAcl
vpngroup montbrink idle-time 1800
vpngroup montbrink password ********
telnet 0.0.0.0 0.0.0.0 outside
telnet 10.0.0.0 255.255.255.0 inside
telnet montgomery 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.13.100-192.168.13.130 inside
dhcpd dns 192.168.11.10 not_sure_what_IP_this_is
dhcpd wins 192.168.11.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain johnrandy.com
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:5d12434c06d9a25ef1092e925dc55ead
pix501(config)#


0
 

Author Comment

by:Dopher
ID: 18788270
Regarding telnet, here's what it's doing. I am able to go into config t and enter: telnet 192.168.13.0 255.255.255.0 inside, and it replaces the 192.168.13.0 with montgomery. I'm assuming 192.168.13.0 = montgomery somewhere in the config. If I remove telnet montomery 255.255.255.0 inside and put in something like: telnet 12.2.2.2 255.255.255.0 inside, it accept that. Then, when I remove that and enter: telnet 192.168.13.0 255.255.255.0 inside, it takes the comman, but again, when I show telnet, it shows my recient entry as: montgomery 255.255.255.0 inside, which I'm guessing might be OK. BUT, if I then do to a command promp and do: telnet 192.168.13.1 I get:

User Access Verification
Password:

Shouldn't it read: PIX and then prompt for a password? If I enter the Enable password, when prompted in Telnet, it won't accept it. Could the person who originally configured the PIX used a different password as a Telnet password?
0
 

Author Comment

by:Dopher
ID: 18788287
OK, fixed the Telnet problem! Here's the config. Again, removed the public IPs, but otherwise it's original:



User Access Verification

Password:
Type help or '?' for a list of available commands.
pix501> en
Password: *********
pix501# sho config
: Saved
: Written by enable_15 at 01:57:55.644 CST Sun Mar 25 2007
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password al3pfBxYEkoYSp1s encrypted
passwd al3pfBxYEkoYSp1s encrypted
hostname pix501
domain-name johnrandy.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.12.0 brinkman
name 192.168.13.0 montgomery
name 192.168.11.0 office
access-list in_out deny icmp any any echo-reply
access-list in_out deny icmp any any unreachable
access-list in_out deny icmp any any time-exceeded
access-list nonat permit ip montgomery 255.255.255.0 office 255.255.255.0
access-list 100 permit ip montgomery 255.255.255.0 office 255.255.255.0
access-list splitTunnelAcl permit ip any any
pager lines 24
logging on
logging timestamp
logging standby
logging buffered debugging
logging trap notifications
logging facility 19
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside 192.168.13.1 255.255.255.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 20.0.0.100-20.0.0.150
pdm location 10.0.0.0 255.255.255.0 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location brinkman 255.255.255.0 outside
pdm location montgomery 255.255.255.0 outside
pdm location office 255.255.255.0 outside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group in_out in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http montgomery 255.255.255.0 inside
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community strfnt
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map FWVPN 10 ipsec-isakmp
crypto map FWVPN 10 match address 100
crypto map FWVPN 10 set pfs group2
crypto map FWVPN 10 set peer not_sure_what_IP_this_is
crypto map FWVPN 10 set transform-set ESP-3DES-MD5
crypto map FWVPN interface outside
isakmp enable outside
isakmp key ******** address not_sure_what_IP_this_is netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup montbrink address-pool VPN
vpngroup montbrink default-domain johnrandy.com
vpngroup montbrink split-tunnel splitTunnelAcl
vpngroup montbrink idle-time 1800
vpngroup montbrink password ********
telnet 0.0.0.0 0.0.0.0 outside
telnet 10.0.0.0 255.255.255.0 inside
telnet montgomery 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.13.100-192.168.13.130 inside
dhcpd dns 192.168.11.10 198.174.169.5
dhcpd wins 192.168.11.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain johnrandy.com
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:4dde06d49a865b91089832e222406f31
pix501#

0
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 18788630
The "montgomery" name is listed in the following command toward the top of your PIX config.  Look at the following section of your PIX config:

names
name 192.168.12.0 brinkman
name 192.168.13.0 montgomery
name 192.168.11.0 office

This causes the PIX to list the name associated with the network address wherever you use that network address in the configuration.  Does this make sense?  You will see the same behavior with the other 2 names in your name list.  So, for example, the following two commands become equivalent in function on your PIX:

telnet 192.168.12.0 255.255.255.0 inside
telnet brinkman 255.255.255.0 inside

OK...next thing, let's allow ICMP traffic through the PIX firewall for troubleshooting.  First, take out the "deny" statements and add "permit" statements in their place:

no access-list in_out
access-list in_out permit icmp any any echo-reply
access-list in_out permit icmp any any unreachable
access-list in_out permit icmp any any time-exceeded
access-group in_out in interface outside

The last command applies the access list to the outside interface.  You already have it applied now, but when you remove the ACL with the first "no" command above, it automatically takes out the existing access group command so you have to reapply it.  This will allow you to ping the Linksys or other router through the PIX from an inside host on the 192.168.13.0/24 network.

Next, your PIX passwords.  There are two passwords associated with a PIX...the "access" password, and the "enable" password.  The access password is used when you telnet to the PIX.  The enable password is used to get to privileged mode so that you can make modifications to the PIX config.  You know when you're in enable mode by looking at the prompt...it will have a "#" at the end of it.  When you ran the "show config" command to post it, you were in enable mode.  I assume that you have the enable mode password already because of this.

If you need to change the access password to something you know, just get to enable mode first from a console session and type the command"

passwd <new_password>

where <new_password> is what you want to change it to.  You can then use this password to telnet to the PIX.

From a previous post:
>>I'm assuming I want it bridged so the PIX can do all the work.

I think this is a good idea as well.  In this manner, the public IP address sits directly on the PIX outside interface.  This is the most secure (and simplest) way of implementing a site-to-site VPN tunnel.  That way you can rule out the DSL router interfering with the VPN tunnel setup because of NAT, filtering, etc. that it may or may not be doing...if it's bridged, you know that it's just a bump on the wire and cannot be filtering any traffic...that's what the PIX is for!

Do you think the ISP will object to you putting the router into bridged mode?  I would ask them for help if the process to do this is either beyond your control (you don't have the router password, for example) or not obvious.  I've run into some routers before that needed a seance and voodoo ritual performed in order to put them into bridge mode. :)

However, first things first...we need to get connectivity established between the PIX and DSL router.  Leave the DSL router config alone for right now since we need it to have an IP address for ping testing from the PIX.  Do you know the inside IP address of the DSL router?  If so, put in those ACL statements to allow ICMP traffic that I listed above and try to ping through the PIX to the DSL router...or even try to ping from the PIX command prompt directly to the DSL router inside IP address.  Can you ping the DSL router from either of these locations?

Once we have that connectivity established, we can go from there...
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:Dopher
ID: 18789742
GREAT! After your recommendations, I am able to not only PING the Linksys, but a public IP too. I then put the Linksys's IP statically into the PC that is connected to the PIX, as the DNS Server Address, and am able to browse the Web.

Should I be able to open IPsec, or some other port forwarding on the LInksys to allow the VPN to connect? Or is there something else that needs to happen?

You ROCK!
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18790138
If you issue the command "show ip address" on the PIX, what does it say the outside interface IP address is?  If it's a private RFC 1918 address, then we need to take the Linksys out of the loop and have the PIX get the public IP address that the Linksys most likely has obtained from your ISP.  We need this so that the VPN tunnel peer on the other side can reference the public IP address and have it establish the tunnel with the PIX.

It may be possible to have the Linksys forward the necessary ports to the PIX outside interface, but I haven't done this before so it's iffy how that will turn out.  I've always been able to put the public IP address on the PIX interface itself when setting up site-to-site tunnels.
0
 

Author Comment

by:Dopher
ID: 18792169
The outside IP is 10.0.0.175, which is given by the Linksys, as suspected. Does the 501 initiate the VPN request and "teach" the HQ Firewall what IP it has, or does the HQ Firewall need to have the 501's IP Address entered in the config? I have a feeling it could be either way and you need to see the HQ's config, as you metioned ealier.

Also, I currently have the 501 in my office where I'm using a Cable Modem. Again, 501 has no problem getting an IP from the Linksys. But, when I plug the 501 direclty into the Cable Modem and reboot both devices, the 501 doesn't opbtain an IP from my ISP (even though my Linksys does) and the 501 shows: DHCP Command failes". Therefore, no Internet. Also, I noticed that when I first plug in the 501 while it's attached to the Cable Modem directly, the Int0 light comes on and flashes throughout the loading of the 501, but then turns off sometime durring the DHCP request. The Int0 light stays on, as norman when plugged into the Linksys.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18792269
Do you have any kind of user authentication information configured in the Linksys?  Does your ISP require user authentication?

As for the VPN setup with the public IP's, typically, either side can initiate the VPN tunnel since both firewalls know the public IP address of the other one.  However, you can set it up where only one side has a static IP and the other is a dynamic IP address (still public, just dynamic).  Here is the link to a config example for this scenario:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml

This may work, but maybe not through the Linksys since it's performing NAT.  The example above doesn't include a NAT device in front of the PIX with the dynamic address.  If we can figure out how to configure the Linksys to forward the proper ports to the internal IP address that it gives the PIX public IP address, we may be in luck.  If you look at the following link, there may be some help on doing this for your particular model of Linksys router if you wish to pursue this, along with the Cisco config example above:

http://portforward.com/routers.htm
0
 

Author Comment

by:Dopher
ID: 18792684
My ISP does not require authentication. I am not going to spend much time on forwarding traffic through the Linksys because I am simply trying to troubleshoot from here. I guess I'll bring it back to the client's home and see what happens. I don't think I want to mess with the config, seeing as it worked fine prior to the DSL router failure.

Knowing what you know thus far, do you think the 501 should connect to the HQ once I get the DSL modem in bridged mode and the 501 on-line at the client location? Is there a command to initial a tunnel connection, or do I just have to keep restarting the 501 every time I make a change? Also, is there a command to renew the DHCP on the 501, or again, restart it?
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18792770
>Knowing what you know thus far, do you think the 501 should connect to the HQ once I get the DSL modem in bridged mode and the 501 on-line at the client location?

Hard to tell...it depends on the configuration of the HQ VPN device.  You stated that you know the HQ VPN device is a Cisco device of some sort, so it may have some configuration statements in it that point to a specific IP address on the 501 side.  If it doesn't then you've probably got the scenario presented in that link above I sent you about static-to-dynamic VPN and it may work just fine as long as the 501 initiates the connection.  In a static-to-dynamic IP address scenario, the dynamic side always has to initiate because the static side doesn't know the IP address of the dynamic side.

>Is there a command to initial a tunnel connection, or do I just have to keep restarting the 501 every time I make a change?

There is no command to initiate the tunnel.  Tunnels are initiated by sending "interesting traffic", that is traffic that is defined by your firewall configuration to be encrypted and sent down the tunnel.  In your case, the PIX 501 has the following statements:

crypto map FWVPN 10 match address 100
access-list 100 permit ip montgomery 255.255.255.0 office 255.255.255.0

The crypto map specifies that the only traffic to get encrypted and tunneled is defined by access list 100, which defines source traffic from network "montgomery" which is 192.168.13.0/24 and going to a destination of network "office" which is 192.168.11.0/24.  So, when it sees traffic from 192.168.13.x going to 192.168.11.x, it will try to initiate the tunnel connection.

>Also, is there a command to renew the DHCP on the 501, or again, restart it?

I don't know of a specific command to do this for the PIX when it is the DHCP client itself trying to get an IP for one of its interfaces.  I suppose you could take off the IP address on the outside interface and then put it back and see if that works...I've never tried it so I don't know, but it seems logical that it would have to try DHCP again if you issued these commands:

no ip address outside
ip address outside dhcp setroute retry 4

Give it a shot...
0
 

Author Comment

by:Dopher
ID: 18808398
I'm waiting for an opportunity to set the DSL modem into bridged mode and test.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18808592
Cool...good luck!
0
 

Author Comment

by:Dopher
ID: 18905855
Sorry for the delay and thank you for your prompt and helpful assistance!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now