jbainc
asked on
Routing through 2514 and PIX 501
Greetings;
We currently have a branch office with a 2514 (IOS 12.2) connecting to the Internet on E0 and two internal domains on E1. Both networks use the same wire, but have differnet subnets. the E1 interface has both a primary and a Secondary IP Address. Everything seems to function correctly. We now have a requirement to connect a PIX 501 in between the ISP and the Networks. While we have been able to lash up the PIX to the ISP and the E0 Interface, but we cannot now reach the Internet from our internal networks. Both the Router and the PIX (I think) have been configured to allow all traffic from the internal networks out and specific permissions for the DNS servers in. Hosts connected directly to the ports on the PIX are able to connect to services on the Internet. Each Domain in the private subnets has a DNS server with forwarders pointing to the ISPs DNS Servers. Both Domains are configured to exchange DNS zones. I am not sure if this problem is a fatal architecture design flaw, or simply a configuration problem. Any help would be greatly appreciated. Thanks in advance.
Regards,
Jeff
Below is the current config for both the 2514 and the 501.
! Cisco 2514 - 2 Domains on separate Private subnets (Win 2003)
Router#sho run
Building configuration...
Current configuration : 872 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
enable password XXXXXXXXXXXXXXXXXXXXXX
!
ip subnet-zero
ip name-server 192.168.20.2
!
!
!
!
!
interface Ethernet0
description connected to PIX
ip address 192.168.1.2 255.255.255.0
ip helper-address xxx.xxx.xxx.xxx !ISP DNS1
ip helper-address xxx.xxx.xxx.xxx !ISP DNS2
ip rip send version 2
!
interface Ethernet1
description connected to EthernetLAN
ip address 192.168.10.1 255.255.255.0 secondary
ip address 192.168.20.1 255.255.255.0
no cdp enable
!
interface Serial0
no ip address
shutdown
!
interface Serial1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
no ip http server
!
banner motd ^XXXXXXXXXXXXXXXXXXXXXX.^C
!
line con 0
exec-timeout 0 0
login
line aux 0
line vty 0 4
login
!
end
Router#sho ver
#sho ver
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IK8OS-L), Version 12.2(17a), RELEASE SOFTWARE (fc1
)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Thu 19-Jun-03 15:17 by pwade
Image text-base: 0x03070670, data-base: 0x00001000
ROM: System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE
BOOTLDR: 3000 Bootstrap Software (IGS-RXBOOT), Version 10.2(8a), RELEASE SOFTWAR
E (fc1)
.
.
.
cisco 2500 (68030) processor (revision D) with 16384K/2048K bytes of memory.
Processor board ID 04202704, with hardware revision 00000000
Bridging software.
X.25 software, Version 3.0.0.
2 Ethernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read ONLY)
Configuration register is 0x2102
! PIX 501
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXX encrypted
hostname PIX501
domain-name XXXXXXXXXXXXXXXXX
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.10.0 Dom1
name 192.168.1.0 DMZ
name 192.168.20.0 Dom2
name xxx.xxx.xxx.xxx ISP
name xxx.xxx.xxx.xxx Other Branch Office
name xxx.xxx.xxx.xxx DNS
name xxx.xxx.xxx.xxx DNS1
object-group network XXXXXXXXXXXXXX
network-object Dom2 255.255.255.0
network-object Dom1 255.255.255.0
object-group network ISPDNS
network-object DNS 255.255.255.255
network-object DNS1 255.255.255.255
access-list inside_outbound_nat0_acl permit ip DMZ 255.255.255.0 interface outside
access-list inside_outbound_nat0_acl permit ip Dom1 255.255.255.0 interface outside
access-list outside_cryptomap_20 permit ip DMZ 255.255.255.0 interface outside
access-list outside_cryptomap_20 permit ip Dom1 255.255.255.0 interface outside
access-list outside_access_in remark DNS 1
access-list outside_access_in permit ip host DNS1 any log 4
access-list outside_access_in remark DNS 2
access-list outside_access_in permit ip host DNS any log 4
pager lines 24
logging on
logging timestamp
logging trap warnings
logging host inside 192.168.20.2
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Dom1 192.168.10.61-192.168.10.9
pdm location Dom1 255.255.255.0 inside
pdm location ISP 255.255.255.255 outside
pdm location Dom2 255.255.255.0 inside
pdm location OBO 255.255.255.255 outside
pdm location 192.168.20.2 255.255.255.255 inside
pdm location DNS 255.255.255.255 outside
pdm location DNS1 255.255.255.255 outside
pdm group XXXXXXXXXXXXXXXXXX inside
pdm group ISPDNS outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
rip outside passive version 2
rip inside default version 2
route outside DNS 255.255.255.255 DNS 1
route outside DNS1 255.255.255.255 DNS1 1
route inside Dom1 255.255.255.0 192.168.1.1 1
route inside Dom2 255.255.255.0 192.168.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp authenticate
ntp server 192.5.41.209 source outside prefer
http server enable
http OBO 255.255.255.255 outside
http DMZ 255.255.255.0 inside
http Dom1 255.255.255.0 inside
http Dom2 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community Dom2_Look
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer OBO
crypto map outside_map 20 set transform-set ESP-AES-128-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address OBO netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes
isakmp policy 20 hash md5
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400
telnet OBO 255.255.255.255 outside
telnet Dom1 255.255.255.0 inside
telnet Dom2 255.255.255.0 inside
telnet timeout 5
ssh OBO 255.255.255.255 outside
ssh Dom1 255.255.255.0 inside
ssh Dom2 255.255.255.0 inside
ssh timeout 5
management-access outside
console timeout 0
dhcpd address 192.168.1.2-192.168.1.99 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username XXXXXX password XXXXXXXXXXXXXXXXXXXXXXXXx encrypted privilege 15
terminal width 80
Cryptochecksum:XXXXXXXXXXX
: end
[OK]
We currently have a branch office with a 2514 (IOS 12.2) connecting to the Internet on E0 and two internal domains on E1. Both networks use the same wire, but have differnet subnets. the E1 interface has both a primary and a Secondary IP Address. Everything seems to function correctly. We now have a requirement to connect a PIX 501 in between the ISP and the Networks. While we have been able to lash up the PIX to the ISP and the E0 Interface, but we cannot now reach the Internet from our internal networks. Both the Router and the PIX (I think) have been configured to allow all traffic from the internal networks out and specific permissions for the DNS servers in. Hosts connected directly to the ports on the PIX are able to connect to services on the Internet. Each Domain in the private subnets has a DNS server with forwarders pointing to the ISPs DNS Servers. Both Domains are configured to exchange DNS zones. I am not sure if this problem is a fatal architecture design flaw, or simply a configuration problem. Any help would be greatly appreciated. Thanks in advance.
Regards,
Jeff
Below is the current config for both the 2514 and the 501.
! Cisco 2514 - 2 Domains on separate Private subnets (Win 2003)
Router#sho run
Building configuration...
Current configuration : 872 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
enable password XXXXXXXXXXXXXXXXXXXXXX
!
ip subnet-zero
ip name-server 192.168.20.2
!
!
!
!
!
interface Ethernet0
description connected to PIX
ip address 192.168.1.2 255.255.255.0
ip helper-address xxx.xxx.xxx.xxx !ISP DNS1
ip helper-address xxx.xxx.xxx.xxx !ISP DNS2
ip rip send version 2
!
interface Ethernet1
description connected to EthernetLAN
ip address 192.168.10.1 255.255.255.0 secondary
ip address 192.168.20.1 255.255.255.0
no cdp enable
!
interface Serial0
no ip address
shutdown
!
interface Serial1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
no ip http server
!
banner motd ^XXXXXXXXXXXXXXXXXXXXXX.^C
!
line con 0
exec-timeout 0 0
login
line aux 0
line vty 0 4
login
!
end
Router#sho ver
#sho ver
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IK8OS-L), Version 12.2(17a), RELEASE SOFTWARE (fc1
)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Thu 19-Jun-03 15:17 by pwade
Image text-base: 0x03070670, data-base: 0x00001000
ROM: System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE
BOOTLDR: 3000 Bootstrap Software (IGS-RXBOOT), Version 10.2(8a), RELEASE SOFTWAR
E (fc1)
.
.
.
cisco 2500 (68030) processor (revision D) with 16384K/2048K bytes of memory.
Processor board ID 04202704, with hardware revision 00000000
Bridging software.
X.25 software, Version 3.0.0.
2 Ethernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read ONLY)
Configuration register is 0x2102
! PIX 501
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXX encrypted
hostname PIX501
domain-name XXXXXXXXXXXXXXXXX
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.10.0 Dom1
name 192.168.1.0 DMZ
name 192.168.20.0 Dom2
name xxx.xxx.xxx.xxx ISP
name xxx.xxx.xxx.xxx Other Branch Office
name xxx.xxx.xxx.xxx DNS
name xxx.xxx.xxx.xxx DNS1
object-group network XXXXXXXXXXXXXX
network-object Dom2 255.255.255.0
network-object Dom1 255.255.255.0
object-group network ISPDNS
network-object DNS 255.255.255.255
network-object DNS1 255.255.255.255
access-list inside_outbound_nat0_acl permit ip DMZ 255.255.255.0 interface outside
access-list inside_outbound_nat0_acl permit ip Dom1 255.255.255.0 interface outside
access-list outside_cryptomap_20 permit ip DMZ 255.255.255.0 interface outside
access-list outside_cryptomap_20 permit ip Dom1 255.255.255.0 interface outside
access-list outside_access_in remark DNS 1
access-list outside_access_in permit ip host DNS1 any log 4
access-list outside_access_in remark DNS 2
access-list outside_access_in permit ip host DNS any log 4
pager lines 24
logging on
logging timestamp
logging trap warnings
logging host inside 192.168.20.2
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Dom1 192.168.10.61-192.168.10.9
pdm location Dom1 255.255.255.0 inside
pdm location ISP 255.255.255.255 outside
pdm location Dom2 255.255.255.0 inside
pdm location OBO 255.255.255.255 outside
pdm location 192.168.20.2 255.255.255.255 inside
pdm location DNS 255.255.255.255 outside
pdm location DNS1 255.255.255.255 outside
pdm group XXXXXXXXXXXXXXXXXX inside
pdm group ISPDNS outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
rip outside passive version 2
rip inside default version 2
route outside DNS 255.255.255.255 DNS 1
route outside DNS1 255.255.255.255 DNS1 1
route inside Dom1 255.255.255.0 192.168.1.1 1
route inside Dom2 255.255.255.0 192.168.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp authenticate
ntp server 192.5.41.209 source outside prefer
http server enable
http OBO 255.255.255.255 outside
http DMZ 255.255.255.0 inside
http Dom1 255.255.255.0 inside
http Dom2 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community Dom2_Look
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer OBO
crypto map outside_map 20 set transform-set ESP-AES-128-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address OBO netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes
isakmp policy 20 hash md5
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400
telnet OBO 255.255.255.255 outside
telnet Dom1 255.255.255.0 inside
telnet Dom2 255.255.255.0 inside
telnet timeout 5
ssh OBO 255.255.255.255 outside
ssh Dom1 255.255.255.0 inside
ssh Dom2 255.255.255.0 inside
ssh timeout 5
management-access outside
console timeout 0
dhcpd address 192.168.1.2-192.168.1.99 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username XXXXXX password XXXXXXXXXXXXXXXXXXXXXXXXx encrypted privilege 15
terminal width 80
Cryptochecksum:XXXXXXXXXXX
: end
[OK]
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
++Only one point. Instead of using your Eth 0 as the default route of the router:
++>ip route 0.0.0.0 0.0.0.0 Ethernet0
++Use the explicit ip address of the PIX instead:
++no ip route 0.0.0.0 0.0.0.0 Ethernet0
++ip route 0.0.0.0 0.0.0.0 192.168.1.1
Your first point was on target, dead center mass. Your solution worked like a charm. The offending line in question was actually a throwback from the previous configuration when the 2514 was pulling duty and the border router/firewall with NAT. In my fog, I overlooked its significance completely. Implementing your solution lit up the boards. Thanks for the assist.
regards,
Jeff