• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1665
  • Last Modified:

Cisco PIX and T1 setup for office to office Point-to-Point

I'm having trouble pinging computers past a Adtram 608 Router and Cisco PIX Firewall 506E from one office A to another office B using a Adtram 608 Router and Cisco PIX Firewall 501. The Firewalls connect to the internet using public IP's and the Cisco PIX 501 is also serving as DHCP server for office B. I can ping to office B's pix and router and computers; however, I'm unable to ping to office A's computers. I ping to office A's pix and router. I'm using a T1 line for connection between the offices - A static LAN is 10.10.2.2 and B static LAN is 10.10.3.2. I've set a static route in both Firewalls - route inside 10.10.3.0 255.255.255.255.0 10.10.2.2 - A ; route inside 10.10.2.0 255.255.255.0 10.10.3.2 - B. Office A's computers can't ping to office B's computers, router, or PIX using windows, I can however ping from inside the PIX. Office B's computers can't ping office A's computers, router, or PIX using windows, I can however ping from inside the PIX, but only up to the Firewall, nothing past it. My T1 carrier has setup a PTP PIN network and indicated all I needed to do was to plug my routers into a switch and I'm good to go. I've troubeshot with them for weeks now and they've even changed the routers, no luck. Any help would be helpful. I've attached a copy of Cisco PIX Firewall 506E Config. I was setup before me and I'm not sure of what's exactly needed. My LAN network is 10.10.2.X - A & 10.10.3.X - B.
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password hCs9jXpzXU7xSx3. encrypted
passwd 0lPOOGP.h4cJGxTQ encrypted
hostname pbfpix
domain-name pelican.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol smtp 110
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit tcp any host 70.88.32.137 eq 85
access-list inbound permit tcp any host 70.88.32.137 eq 3389
access-list inbound permit tcp any host 70.88.32.137 eq citrix-ica
access-list inbound permit tcp any host 70.88.32.137 eq 5632
access-list inbound permit tcp any host 70.88.32.137 eq pcanywhere-data
access-list inbound permit tcp any host 70.88.32.137 eq ftp
access-list inbound permit tcp any host 70.88.32.137 eq www
access-list inbound permit tcp any host 70.88.32.137 eq 3443
access-list inbound permit tcp any host 70.88.32.137 eq 1694
access-list inbound permit tcp any host 70.88.32.137 eq 8080
access-list inbound permit tcp any host 70.88.32.137 eq 10050
access-list inbound permit tcp any host 70.88.32.137 eq 4080
access-list inbound permit tcp any host 70.88.32.137 eq 2000
access-list inbound permit tcp any interface outside eq smtp
access-list inbound permit tcp any host 70.88.32.137 eq 1604
access-list inbound permit tcp any host 70.88.32.137 eq pop3
access-list inbound permit tcp any host 70.88.32.137 eq smtp
access-list inbound permit tcp any host 0.0.0.70
access-list inbound permit tcp any host 70.88.32.137 eq 6251
access-list inbound permit tcp any host 70.88.32.137 eq nntp
access-list inbound permit tcp any host 70.88.32.137 eq 3322
access-list inbound permit tcp any host 70.88.32.137 eq 61254
access-list inbound permit tcp any host 70.88.32.137 eq 587
access-list inbound permit tcp any host 70.88.32.137 eq https
access-list inbound permit tcp any host 10.10.3.0
access-list vpn_nonat permit ip 10.10.2.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list vpnclient permit ip 10.10.2.0 255.255.255.0 192.168.20.0 255.255.255.0
no pager
logging on
logging buffered debugging
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any echo-reply inside
icmp permit any unreachable inside
icmp permit any echo inside
icmp permit any time-exceeded inside
mtu outside 1500
mtu inside 1500
ip address outside 70.88.32.137 255.255.255.252
ip address inside 10.10.2.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 192.168.20.20-192.168.20.52
pdm location 10.2.0.2 255.255.255.255 inside
pdm location 10.2.0.22 255.255.255.255 inside
pdm location 10.2.0.80 255.255.255.255 inside
pdm location 10.2.0.155 255.255.255.255 inside
pdm location 10.2.0.160 255.255.255.255 inside
pdm location 10.2.0.252 255.255.255.255 inside
pdm location 65.41.16.13 255.255.255.255 outside
pdm location 192.168.20.0 255.255.255.0 inside
pdm location 68.51.199.189 255.255.255.255 outside
pdm location 192.168.20.0 255.255.255.0 outside
pdm location 10.10.2.4 255.255.255.255 inside
pdm location 10.10.2.5 255.255.255.255 inside
pdm location 10.10.2.20 255.255.255.255 inside
pdm location 10.10.2.160 255.255.255.255 inside
pdm location 10.10.3.0 255.255.255.0 outside
pdm location 10.10.2.252 255.255.255.255 inside
pdm location 10.3.0.0 255.255.255.0 inside
pdm location 10.2.0.0 255.255.255.0 inside
pdm location 10.2.0.6 255.255.255.255 inside
pdm location 10.2.0.7 255.255.255.255 inside
pdm location 10.2.0.18 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list vpn_nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 70.88.32.137 citrix-ica 10.10.2.5 citrix-ica netmask 255.255.255.255 0 0
static (inside,outside) tcp 70.88.32.137 3443 10.10.2.5 3443 netmask 255.255.255.255 0 0
static (inside,outside) tcp 70.88.32.137 8080 10.10.2.5 8080 netmask 255.255.255.255 0 0
static (inside,outside) tcp 70.88.32.137 85 10.10.2.160 85 netmask 255.255.255.255 0 0
static (inside,outside) tcp 70.88.32.137 1604 10.10.2.5 1604 netmask 255.255.255.255 0 0
static (inside,outside) tcp 70.88.32.137 ftp 10.10.2.252 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 70.88.32.137 4080 10.10.2.252 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 70.88.32.137 smtp 10.10.2.6 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 70.88.32.137 www 10.10.2.6 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 70.88.32.137 3389 10.10.2.7 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 70.88.32.137 pop3 10.10.2.6 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp 70.88.32.137 https 10.10.2.6 https netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 70.88.32.138 1
route inside 10.10.3.0 255.255.255.0 10.10.2.2 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 65.41.16.13 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
http 10.2.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
http 10.10.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec transform-set stronger esp-aes esp-sha-hmac
crypto ipsec transform-set strongest esp-aes-256 esp-sha-hmac
crypto dynamic-map pelican-dyn 20 set transform-set strongest stronger strong
crypto map pelicanvpn 20 ipsec-isakmp
crypto map pelicanvpn 20 set pfs group2
crypto map pelicanvpn 20 set peer 70.88.35.9
crypto map pelicanvpn 20 set transform-set strongest stronger strong
! Incomplete
crypto map pelicanvpn 65535 ipsec-isakmp dynamic pelican-dyn
crypto map pelicanvpn interface outside
isakmp enable outside
isakmp key ******** address 70.88.35.9 netmask 255.255.255.255 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup PELICAN address-pool VPN
vpngroup PELICAN dns-server 10.10.2.7 68.87.74.162
vpngroup PELICAN wins-server 10.10.2.7
vpngroup PELICAN default-domain pelican.com
vpngroup PELICAN split-tunnel vpnclient
vpngroup PELICAN split-dns pelican.local
vpngroup PELICAN pfs
vpngroup PELICAN idle-time 1800
vpngroup PELICAN password ********
telnet 70.88.32.137 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 20
management-access inside
console timeout 0
username admin password ZtmwWxwfZJPPSOvr encrypted privilege 15
terminal width 132
Cryptochecksum:66333248129ca2c180ce69b31a34d851
: end
pbfpix#

Open in new window

0
tincup23
Asked:
tincup23
  • 2
1 Solution
 
batry_boyCommented:
Is 10.10.2.2 the Adtran router at site A?  Can you ping any 10.10.3.x hosts from the Adtran router?

For the computers at site A, do you have their default gateway set to the Adtran IP or to the PIX inside interface (10.10.2.254)?  If you have the default gateway set to the PIX, then I can see the problem with your traffic flow.  The PIX is not a router and you're trying to use it like one.  It cannot redirect the traffic back to the Adtran when it receives traffic destined for the 10.10.3.0 network from computers at site A because it is not a true router.

If I understand your topology correctly, it looks like this:

                         -------------Internet------------
                       /                                              \
Site A PIX 506                                                  Site B PIX 501
          |                                                                        |
          |                                 P2P T1                            |
Site A Adtran Router---------------------------Site B Adtran Router
          |                                                                        |
          |                                                                        |
Site A LAN (10.10.2.0/24)                         Site B LAN (10.10.3.0/24)

Is this correct?  If it is, here is what I suggest:

1. Configure computers at site A to have a default gateway of the Site A Adtran router
2. Configure the Site A Adtran router's default gateway to point to Site A's PIX inside interface
3. Configure computers at site B to have a default gateway of the Site B Adtran router
4. Configure the Site B Adtran router's default gateway to point to Site B's PIX inside interface
5. Make sure that both Site A and Site B Adtran routers have static routes that point to the other site's LAN addressing to go over the T1 connection (serial interface, or FR PVC, whatever that connection is on the Adtran)

Does this make sense?
0
 
tincup23Author Commented:
If I added a Cisco Router 2811 to both sites, would I need to configure the computers to use the Cisco's IP Address as the default gateways?
0
 
batry_boyCommented:
It depends on whether you are replacing the Adtran routers with the Cisco routers or not.  Are you going to do this?
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now