CiscoRouterNotes_1720

Cisco 1720 Config along with Pix 506e fire wall configuration

Ok this is a long question so bare with me. Also it is in many parts and will split of the points if I have to.

Lets say I am a total newbie at cisco router and firewall config and I need to set up a Cisco 1720 with t-1 csu/dsu and a pix 506e firewall could anyone take me through all the commands step by step so I can get them right.

Here is what I want to do I want to setup the cisco 1720 so it can get to the internet (of course) then from the router I need it to go into the fire wall where the inside interface will be nat ( ip 192.168.1.1). I also need to setup the pix for vpn with windows 2k/xp and for a linksys router with vpn I will also need to setup port forwarding so that I can Remote Desktop, PC anywhere and term services.

Comment from lrmoore

Date: 01/12/2005 08:15AM PST Comment

>inside interface will be nat ( ip 192.168.1.1).

First off, I need to counsel you on NOT using this particular IP subnet for your inside LAN

Why? >I also need to setup the pix for vpn <

The VAST majority of home users and home broadband routers use either 192.168.0.x or 192.168.1.x

Having the same IP subnet on both ends of a VPN is NOT a good idea. Save yourself a drugstore bill

(headache pills) and start off right. Use something more obscure for the internal LAN, like

192.168.233.x

OK, lets start with the 1720 and get the T1 up:

Assume that you are at the router> prompt router>enable password: router#config t router(config)#

From that point, all of these commands can be entered interface serial 0/0 <== or "serial 0" depending

no shutdown

ip address x.127.10.236 255.255.255.252 interface FastEthernet 0

no shutdown

ip address x.127.2.225 255.255.255.240 router(config-if)# exit <== you need to exit the Interface config router(config)# <== get back to global config

ip classless

ip route 0.0.0.0 0.0.0.0 x.127.10.235

end router# write mem <==save the config

[OK] router#

Page 1

<done>

PIX#setup <== follow the prompts and answer the questions. Below are the primary items you need to get going:

interface eth0 auto

interface eth1 auto <== this is same as "no shut" on router interfaces to enable the interface

ip address outside x.127.2.226 255.255.255.240

ip address inside 192.168.233.1 255.255.255.0

global (outside) 10 interface

nat (inside) 10 192.168.233.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 x.127.2.225

You might have to reset the DHCP scope on the PIX if you don't want to use the default 192.168.1.x subnet... version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption

! hostname Router

! ip subnet-zero

! interface Serial0

ip address x.127.10.236 255.255.255.240

no ip directed-broadcast

! interface FastEthernet0

ip address x.127.2.225 255.255.255.240


half-duplex

! ip classless ip route 0.0.0.0 0.0.0.0 x.127.10.235 no ip http server

! line con 0

transport input none line aux 0 line vty 0 4

login

! no scheduler allocate end

Router#

________________________ fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720

Page 2

fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names pager lines 24 interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside x.127.2.226 255.255.255.240 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 10 interface nat (inside) 10 192.168.1.0 255.255.255.0 0 0 route outside 0.0.0.0 0.0.0.0 206.127.2.225 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.1.10 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat telnet timeout 5 ssh timeout 5 terminal width 80

Cryptochecksum:7091367344674f301180092fe42a4d19

This is what i have so far on the 1720 Router and the pix 506e I can't get the pix to ping the router I have tried from console. can you see if I entered anything wrong. I know that i used the 192.168.1.1 subnet but i just need this for now I will fine tune it later. BTW glad I got you Lrmoore you help me with my last cisco issue. I also need to know what I will have to do to set up the pix to allow linksys router be able to vpn into the network.

Thanks

Bill

Page 3

Are you using a crossover cable or hub/switch to connect the Fast 0 on the router to the Eth0 of the PIX?

Eth 1 is the inside interface on PIX

>interface FastEthernet0

ip address x.127.2.225 255.255.255.240


half-duplex <== should be auto - use "no half-duplex"

I sorry if I am a little bit slow how do I change the half-duplex on the router, I need alot of step by step things. I am using a cross over cable from 10/100 ethernet port on router to ethernet 0 on the PIX. As of right now I have not made any changes to the pix or the cisco router.

Thanks

Bill

On the router router(config)#interface Fast0 router(config-if)#no half-duplex

Then, can you post result of router#sho ip int brief router#sho arp

And from the PIX

PIX# show interface

Look for Interface UP, line protocol UP on both interface

PIX#show arp

Let's get these two up and working then post a new question to work on the VPN to the Linksys, OK? It helps keep the solutions database cleaner..

Router#sho ip int brief

Interface IP-Address OK? Method Status Prot ocol

FastEthernet0 x.127.2.225 YES NVRAM up up

Serial0 x.127.10.236 YES NVRAM up up

Router#sho arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet x.127.2.226 47 000d.6585.72e9 ARPA FastEthernet0

Internet x.127.2.225 - 0050.547d.42f4 ARPA FastEthernet0

Router#

This is from the Router

TCI# show interface interface ethernet0 "outside" is up, line protocol is up

Hardware is i82559 ethernet, address is 000d.6585.72e9

Page 4

IP address x.127.2.226, subnet mask 255.255.255.240

MTU 1500 bytes, BW 10000 Kbit full duplex

71 packets input, 7122 bytes, 0 no buffer

Received 7 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

328 packets output, 25464 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

39 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/1)

output queue (curr/max blocks): hardware (0/4) software (0/4) interface ethernet1 "inside" is up, line protocol is down

Hardware is i82559 ethernet, address is 000d.6585.72ea

IP address 192.168.1.1, subnet mask 255.255.255.0

MTU 1500 bytes, BW 10000 Kbit half duplex

1830 packets input, 153269 bytes, 0 no buffer

Received 111 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

1617 packets output, 1918053 bytes, 0 underruns

0 output errors, 439 collisions, 0 interface resets

0 babbles, 0 late collisions, 38 deferred

13 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/22)

output queue (curr/max blocks): hardware (0/41) software (0/41)

TCI#

TCI# show arp

outside x.127.2.225 0050.547d.42f4

inside 192.168.1.24 000c.f1ee.00c2

inside 192.168.1.26 000c.f1b3.19d9

inside 192.168.1.21 000c.76eb.9dbd

inside 192.168.1.22 000c.f1ef.5369

inside 192.168.1.10 000b.ab04.8dfc

inside 192.168.1.20 0020.18d9.4ecb

This from the pix

As i have to keep switching between the old cable modem and 1720 to get it working and have internet I will post these right now and check back in a few.

Comment

Everything looks good except for the inside interface on the PIX

>interface ethernet1 "inside" is up, line protocol is down <==

Is it plugged into the network?

If you plug it all in and change your PC's default gateway to the PIX, can you get out on the network?

Don't worry about pinging, because ICMP is not allowed by default..

Ok I made some mistake on my first post and type in the ip numbers incorrectly so when i was coping and pasting them in it came out wrong he is all the correct info along with the router and pix config as of this moment.

Page 5

IP address Allocation x.127.8.225/28

WAN-Side x.127.10.236/30

Network IP x.127.8.224

Broadcast IP x.127.8.239

Subnet mask 255.255.255.240

Available IP addresses x.127.8.225-x.127.8.238

Gateway x.127.8.225

DNS x.207.0.3

x.127.0.3

TCI# show config

: Saved

: Written by enable_15 at 12:16:07.412 UTC Wed Jan 12 2005

PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname TCI domain-name TCI.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names pager lines 24 interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 206.127.8.226 255.255.255.240 !!!!!!!!!!!! I had to change the subnet mask would not take other!!! ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 10 interface nat (inside) 10 192.168.1.0 255.255.255.0 0 0 route outside 0.0.0.0 0.0.0.0 206.127.8.225 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

Page 6

p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.1.10 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat telnet timeout 5 ssh timeout 5 terminal width 80

Cryptochecksum:eb7679cf36b0606c91534a751eadcda1

TCI#

TCI#show configuration

Using 662 out of 29688 bytes

! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption

! hostname TCI

! enable secret 5 $1$RCBp$51KPRLuVdFXDwH1ZQuT4T. enable password

! ip subnet-zero no ip routing

! interface Serial0

ip address x.127.10.236 255.255.255.240


no ip route-cache


ip address x.127.8.225 255.255.255.240


no ip route-cache

half-duplex

! ip classless ip route 0.0.0.0 0.0.0.0 x.127.8.235 no ip http server

! line con 0

Page 7


password

login


TCI#

Check the post above here is the new new router and pix configuration. I called my telco provider and we went through some things. From the console on the 1720 I can ping dns of a couple place on t-1 router, I can ping the router from the Pix firewall, and I can ping the pix from the network but I can't get out to the internet and I can not ping out to the internet on the pix firewall. Here are the configuration for both.

PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname TCI domain-name TCI.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names pager lines 24 interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 206.127.8.226 255.255.255.240 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 192.168.1.10 255.255.255.255 inside pdm history enable arp timeout 14400 global (outside) 10 interface nat (inside) 10 192.168.1.0 255.255.255.0 0 0 nat (inside) 10 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 206.127.8.225 1

Page 8

timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.1.10 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat telnet timeout 5 ssh timeout 5 dhcpd address 192.168.1.240-192.168.1.250 inside dhcpd dns 207.207.0.3 206.127.0.3 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80

Cryptochecksum:4100eee013da863e4fd8c769eaa2f800

_________________________________

00:56:28: %SYS-5-CONFIG_I: Configured from console by console[OK]




! hostname TCI

! enable secret 5 $1$RCBp$51KPRLuVdFXDwH1ZQuT4T. enable password chaotic


! interface Serial0

ip address 206.127.10.238 255.255.255.252


no ip route-cache


Page 9

ip address 206.127.8.225 255.255.255.240


no ip route-cache

half-duplex

! ip classless ip route 0.0.0.0 0.0.0.0 206.127.10.237 no ip http server

! line con 0


password chaotic

login


TCI#

All info is current and waiting for replies.

Thanks

Bill

P.S. BTW I have gone throught the entire config with the Telco guy and he can find nothing wrong with any of the setting

OK, let's add ICMP support so you can try pings, traceroutes and see what happens

On the PIX:

PIX(config)#access-list icmp_inbound permit icmp any any

PIX(config)#access-group icmp_inbound in interface outside

Now, from the PIX console, try to ping the Serial IP of the router:

PIX#ping 206.127.10.238

Success?

Yes, ping next hop - 206.127.10.237

Yes? ping known internet host - 198.6.1.2

Yes? From a PC, try

ping 192.168.1.1

ping 206.127.10.237

ping 198.6.1.2

Yes?

Try opening a web page

No? Post result of

PIX# show access-list

C:\>ipconfig /all

I could ping all the address up there and still could not get on the internet. I think you mistype

206.127.10.237 should have been 206.127.10.238 I think. I was able to ping all the way out to the

Page 10

outside interface of the cisco router but not able to get onto the internet. Here are the 2 thing you wanted me to post for you ...

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : ALTI-SERV1A-IP

Primary DNS Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Realtek RTL8139(A) PCI Fast Ethernet

Adapter

Physical Address. . . . . . . . . : 00-0B-AB-04-8D-FC

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.1.10

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 207.207.0.3

206.127.0.3

TCI# show access-list access-list icmp_inbound; 1 elements access-list icmp_inbound permit icmp any any (hitcnt=4)

If you need anything else let me know

Bill

>I could ping all the address up there

Does this include 198.6.1.2 ?? This is a UUNET/MCI nameserver. If you can ping it, then you should have full internet access

OK, from your PC

C:\>ping 206.127.10.237 and

C:\>ping 206.127.10.238

Then:

C:\>tracert 198.6.1.2 and:

C:\>tracert 206.127.0.3

Post the results

Comment from maxeyb

Date: 01/12/2005 04:00PM PST Author Comment

C:\Documents and Settings\Administrator>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Page 11

Reply from 192.168.1.1: bytes=32 time=10ms TTL=255

Reply from 192.168.1.1: bytes=32 time<10ms TTL=255

Reply from 192.168.1.1: bytes=32 time=10ms TTL=255

Ping statistics for 192.168.1.1:

Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 10ms, Average = 6ms

Control-C

^C



Request timed out.

Request timed out.

Request timed out.

Request timed out.







Request timed out.

Request timed out.

Request timed out.

Request timed out.














Page 12


C:\Documents and Settings\Administrator>tracert 198.6.1.2

Tracing route to 198.6.1.2 over a maximum of 30 hops

1 * * * Request timed out.





6 ^C

C:\Documents and Settings\Administrator>tracert 206.127.0.3

Tracing route to 206.127.0.3 over a maximum of 30 hops










10 * ^C

C:\Documents and Settings\Administrator>

Also there is a wierd address when I looks at the PDM for the firewall I didn't put it in there but it shows up host/networking tab on outside interface has the ip number 206.127.8.224 I told the Telco guy this and he said it wasn't a vaild number. Now I didn't use it on any configuration so I not sure how it got there.

BTW just so you can see here is the runnning configs for the PIX and the Router again

PIX 506E

TCI# show config

: Saved

: Written by enable_15 at 16:27:00.796 UTC Wed Jan 12 2005

PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname TCI domain-name TCI.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719

Page 13

fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list icmp_inbound permit icmp any any pager lines 24 interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 206.127.8.226 255.255.255.240 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 192.168.1.10 255.255.255.255 inside pdm history enable arp timeout 14400 global (outside) 10 interface nat (inside) 10 192.168.1.0 255.255.255.0 0 0 nat (inside) 10 0.0.0.0 0.0.0.0 0 0 access-group icmp_inbound in interface outside route outside 0.0.0.0 0.0.0.0 206.127.8.225 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.1.10 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat telnet timeout 5 ssh timeout 5 dhcpd address 192.168.1.240-192.168.1.250 inside dhcpd dns 207.207.0.3 206.127.0.3 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80

Cryptochecksum:d1eae3ce932b3c48051b9e9ddbdc849e

Page 14

TCI#

CISCO 1720




! hostname TCI

! enable secret 5 $1$RCBp$51KPRLuVdFXDwH1ZQuT4T. enable password chaotic


! interface Serial0

ip address 206.127.10.238 255.255.255.252


no ip route-cache


ip address 206.127.8.225 255.255.255.240


no ip route-cache

half-duplex

! ip classless ip route 0.0.0.0 0.0.0.0 206.127.10.237 no ip http server

! line con 0


password chaotic

login

! no scheduler allocate

TCI# hope this helps

Bill

This seems to be a straight pix problem. When I console into the T-1 router I am able to ping what ever I want. I also have another internet connection in the office via a cable modem and I am able to telnet to

Page 15

the router and log into it. So the T-1 is getting on the internet It has to be something with PIX firewall that is messing it up.

Bill

Accepted Answer

> also have another internet connection in the office via a cable modem

Do you have another router connected to this modem? Is it also the same IP 192.168.1.1 that you are using on the PIX?

I figured out the problem Ip routing was not turned on on the router. Everything seems to be working thanks Lrmoore

If you could check I am about to post the question for the linksys router.

Thanks again

Bill

Page 16

CiscoRouterNotes_1720

Cisco 1720 Config along with Pix 506e fire wall configuration

Related documents

Products

Support

CiscoRouterNotes_1720

Cisco 1720 Config along with Pix 506e fire wall configuration

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib