Solved

Connecting to a PIX 501 Firewall though a Linksys Wireless Router

Posted on 2007-03-27
7
445 Views
Last Modified: 2010-04-11
I'm setting up a wirelss connection in a coffee shop and am using a linksys wireless router in conjuction with a Cisco PIX 501 Firewall. I have been given a static IP address from my ISP. This address ends in .82 and is assigned to the linksys router. I then use the standard internal IP scheme (DHCP) for handing out IP's to any wireless users that may want to connect to the internet. (192.168.2.100 - 200 range). The outside adapter on the PIX is set to 192.168.2.2 and then the inside adapter is translated to 192.168.1.1. I then have 2 Point of sale computers connected directly to the PIX setup on the 192.168.1.1 schema (but with their own assign ip addresses). These 2 computers are behind the PIX Firewall for obvious security reasons. The only problem is I'm trying to connect to these internal Point of sale computers via a VPN connection. In my VPN client software I can't make a direct call to the internal IP address of either of these computers because it's a generic internal IP scheme. I try to connect to the IP Assigned address of .82 but that just tells the VPN software to try and negociate with the Linksys instead of the PIX. How do I tell the Linksys to handle this VPN request? Do I need to setup port forwarding or NAT or DMZ or something? I had this working a year ago and don't remember having this problem. If anyone has any ideas how I can setup the Linksys to handle this VPN connection and push it through to the PIX I would really appreciate any suggestions. Thanks!
0
Comment
Question by:dsgonzales
  • 4
  • 2
7 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 18805667
I would try setting up port forwarding on the Linksys.  In the Linksys GUI, you should have a "Security" tab with a checkbox that reads "Block Anonymous Internet Requests".  Uncheck this box.

Next, go to "Applications & Gaming" and look at the "Port Range Forward" section.  Try the following two ports first:

UDP 500          <----isakmp
UDP 4500        <----NAT traversal

Specify those port numbers as both the start and end ports each on a separate line, choose UDP for the protocol, and choose 192.168.2.2 as the IP address to forward to (the PIX outside interface).  Then try a VPN connection and see what you get.

I would make sure that the VPN is functioning properly without going through the Linksys before I tried the port forwarding.  That way you know that if you try the port forwarding and it doesn't work, then there is something in the port forwarding setup itself (and not the PIX VPN config) that is the problem.  Put your VPN client on the 192.168.2.0/24 network right outside the PIX and try a VPN connection and see if it works.  If you are successful, then try the port forwarding configuration in the Linksys,  them move to the outside of the Linksys and establish the VPN connection again.

If you have IPSEC over TCP configured on the PIX, you will need to forward TCP 10000 (default port) through the Linksys.

Good luck!
0
 

Author Comment

by:dsgonzales
ID: 18810523
I was able to connect via the VPN when I put a laptop on the Linksys network that exists outside the PIX firewall. However I am still unable to connect to the PIX through the outside of the Linksys. I setup (in the Linksys) port forwarding for UDP 5000 and UDP 4500 and still nothing. I also unchecked the "Block Anonymous Internet Requests" - Still no luck. I even put the outside IP Address of the PIX 192.168.2.2 in the DMZ zone. I still cannot connect? Any other suggestions are appreciated. Thanks.

Brian
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 125 total points
ID: 18810594
" I setup (in the Linksys) port forwarding for UDP 5000 and UDP 4500 and still nothing."

You need to forward UDP 500, not UDP 5000...is this what you meant?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:dsgonzales
ID: 18810635
Sorry, I didn't mean 5000. I used 500.. Do you have any other ideas?
Thanks
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18810662
What does your "route outside 0.0.0.0 0.0.0.0" point to?
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18810672
That last statement would be in the PIX, not the Linksys...sorry, forgot to mention that.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now