Re: 1721 Router to PIX 515 help!

anthonyv · ‎09-06-2002

PROBLEM:

I am trying to get my 1721 router and my PIX 515 to work together, and im not sure what is holding me back.

DETALS:

-Ive got the outside interface of the pix connected to the inside interface of the router with a crossover cable.

-Ive got the outside interface of the router connected to the T1 and can use the router as my default gateway to sucessfully get to the internet without the pix in between, once the pix is in place between the router and my host, and i change the default gateway on the host to the pix, NO work.

-Ping from inside network to pix inside interface YES works.

-Ping from inside network to router inside interface NO work.

-Ping from host using PIX as default gateway to a working outside IP NO work, but can see the icmp on the pix sending it to the router.

-Ping from outside host to inside IP's work, but i do not see the icmp on the pix debug screen like i should, i think the router is responding.

Here are the configs for both the router and the pix in that order, please help!

--1721 ROUTER CONFIG--

Current configuration : 1087 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname PacBellRouter

!

enable secret 5 XXXXXXXX

enable password XXXX

!

ip subnet-zero

ip name-server 206.13.28.12

ip name-server 206.13.31.12

!

modemcap entry line

!

interface FastEthernet0

description TO LOCAL LAN

ip address 192.168.100.2 255.255.255.0

ip nat inside

speed auto

!

interface Serial0

description PB CKT 40HCGS991156_OO1PT

ip address 64.160.180.38 255.255.255.240

ip nat outside

encapsulation ppp

no fair-queue

service-module t1 timeslots 1-24

!

ip nat pool webaccess 209.76.153.161 209.76.153.174 netmask 255.255.255.240

ip nat inside source list 1 pool webaccess

ip classless

ip route 0.0.0.0 0.0.0.0 64.160.180.37

no ip http server

!

access-list 1 permit 192.168.100.0 0.0.0.255

!

line con 0

password cnsc1

line aux 0

exec-timeout 300 0

password XXXXXX

login

modem InOut

flowcontrol hardware

line vty 0

password XXXXXXX

login

line vty 1 4

password XXXXXX

login

!

no scheduler allocate

end

---PIX 515 CONFIG---

PIX Version 4.4(7)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXX encrypted

passwd XXXXX encrypted

hostname pixfirewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

pager lines 24

logging on

no logging timestamp

no logging console

no logging monitor

logging buffered debugging

no logging trap

logging facility 20

logging queue 512

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 192.168.100.4 255.255.255.0

ip address inside 192.168.100.3 255.255.255.0

arp timeout 14400

global (outside) 1 209.76.153.162 netmask 255.255.255.240

global (outside) 1 209.76.153.163-209.76.153.174 netmask 255.255.255.240

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

no rip outside passive

no rip outside default

no rip inside passive

no rip inside default

route outside 0.0.0.0 0.0.0.0 192.168.100.2 0

timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00

timeout rpc 0:10:00 h323 0:05:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

telnet 192.168.100.30 255.255.255.0

telnet timeout 5

terminal width 80

Cryptochecksum:XXXXXX

pixfirewall#

yusuff · ‎09-07-2002

First of all, your IP address on inside/outside interface of PIX is wrong. You cannot have same subnet on both these interfaces, they have to be different subnets.

Secondly, bcz your router does not have a static route back for 209.76.153.0 network pointing back to your pix, since you are NATing on PIX.

Your PIX config is wrong. I am forwarding you these basic PIX URL which will help you setup your PIX;

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/bafwcfg.htm#xtocid17

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/config/index.htm

HTH

R/Yusuf

mb9841 · ‎09-07-2002

Unless there is a specific reason why you need NAT on the 17xx router, I would not use nat there. I would let the PIX handle the NAT function and overload NAT on the outside interface of the PIX.

As pointed out in the previous response, you need to have different subnets on your inside and outside PIX interfaces. Typically what I do is assign my "available LAN addresses" from my provider to the ethernet interface of the router, and the ouside interface of the PIX (one address each). Let the PIX perform NAT. Point a static default route from the PIX to the IP address on the ethernet point of the router. You won't need a route to the 209 subnet on the 1720 because it is locally attached on FE0. All traffic coming from the firewall to the router already has a source of 209.x.x.x because of NAT on the firewall. The only static route needed on the 1700 is a default to the PACBELL Internet router.

Good Luck

anthonyv · ‎09-09-2002

Everythings working now. thank you a bunch for your detailed answer. Im wondering how i can refine my setups i would like to remove any unnecessary commands from both the router and firewall. can you point out stuff to remove? thanks again!

---- 1721 Router setup ------

PacBellRouter#show config

Using 671 out of 29688 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname PacBellRouter

!

enable secret 5 xxXXXxxXXX.

!

ip subnet-zero

!

modemcap entry line

!

interface FastEthernet0

description TO LOCAL LAN

ip address 209.76.153.162 255.255.255.240

speed auto

!

interface Serial0

description PB CKT 40HCGS991156_OO1PT

ip address 64.160.180.38 255.255.255.240

encapsulation ppp

no fair-queue

service-module t1 timeslots 1-24

!

no ip classless

ip route 0.0.0.0 0.0.0.0 64.160.180.37

no ip http server

!

line con 0

password XXXXX

line aux 0

exec-timeout 300 0

line vty 0 4

no login

!

end

PacBellRouter#

---- PIX SETUP --------

pixfirewall# show config

: Saved

:

PIX Version 4.4(7)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXXXXX encrypted

passwd XXXXXXXX encrypted

hostname pixfirewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

pager lines 24

logging on

no logging timestamp

no logging console

no logging monitor

logging buffered debugging

no logging trap

logging facility 20

logging queue 512

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 209.76.153.163 255.255.255.240

ip address inside 192.168.100.2 255.255.255.0

arp timeout 14400

global (outside) 1 209.76.153.164 netmask 255.255.255.240

global (outside) 1 209.76.153.165-209.76.153.166 netmask 255.255.255.240

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

no rip outside passive

no rip outside default

no rip inside passive

no rip inside default

route outside 0.0.0.0 0.0.0.0 209.76.153.162 0

timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00

timeout rpc 0:10:00 h323 0:05:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

telnet timeout 5

terminal width 80

Cryptochecksum:f6745a2108ae0e91dfb90083f4dcfa54

pixfirewall#