Re: Help with routing on PIX 501

rickberes · ‎10-27-2005

Hi everyone.

I generally do NOT do networking, so I may be a bit slow.

I'm trying to connect a branch office to a head office with two PIX 501s.

I'll need ping, traceroute and all windows packets to traverse the system.

The system topology is as follows:

head office (192.168.1.x) -> PIX501 (inside 192.168.1.247, outside X.X.X.X) -> <cloud> -> PIX501 (inside 192.168.10.247, outside x.x.x.x) -> branch office (192.168.10.x)

I can establish both an IKE and IPSEC tunnel with my current configs, but I know I must be missing some essential route commands because I can't ping from the .10.x subnet to the .1.x subnet nor vice-versa.

I also have no windows servers (in the .1.x subnet) visible from the .10.x subnet either.

Any help would be appreciated.

I've attached the current configs for both units.

bobd · ‎10-27-2005

Your configs look fine for the tunnel from what I can see. I assume the workstation that your trying to ping doesn't have problems or a software firewall preventing it from replying (XP sp2). If you had built the configs and tried immediately, its possible that the IP address you were trying to ping from/to already had NAT entries on the PIX. You would use CLEAR XLA on both firewalls to clear any existing translations.

Bob

rickberes · ‎10-27-2005

Thanks for the reponse Bob,

I CLEAR XLA'd both units and checked that my .1.x gateway was routing the .10.x traffic to the PIX.

As it turned out, it was not - so I corrected the route info in my .1.x subnet and I can now ping from the .1.x subnet to the .10.x subnet and vice-versa.

I'm pretty happy about that, but I still have no windows server access, and it does not appear that netbios traffic is coming back to the .10.x subnet.

Any other ideas? (your first ones were great, thanks)

-Rick

bobd · ‎10-27-2005

Is DNS working properly so that you are able to ping a server on the 1.x net from the 10.x net by name?

rickberes · ‎10-29-2005

Hi Bob, thanks again.

Yes, I can ping by name and traceroute to servers by name.

I *think* I have full network functionality except I seem to be having problems joining the domain.

Is there a specific packet type I have to enable in order for this to work.

Sorry for the newbie questions, but like I said, I don't usually config this equipment.

bobd · ‎10-29-2005

If everything is there except for joining the domain it could just be a simple WINS problem. Might be worth double checking WINS settings on your remote network workstations to be sure they are pointing to the WINS server on the main network. LMHOSTS files can be used instead of WINS, but I don't usually go that route for a variety of reasons.

Bob

jackko · ‎10-27-2005

the type of vpn do not match.

on head office pix, you configure dynamic vpn acting as a server; whereas on the branch office pix, you configure lan-lan vpn as well as dynamic vpn acting as a server.

have a look at this doc for lan-lan vpn:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

have a look at this doc for ezvpn:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008019e6d7.shtml

the main difference between the lan-lan vpn and ezvpn is that with lan-lan vpn, either sites are able to establish the vpn; whereas with ezvpn, only the client site can establish the vpn.

in order to determine which vpn to be deployed, you need to figure out the type of public ip on both sites. assuming both sites have static public ip, then you can choose either lan-lan vpn or ezvpn; whereas if only one of the sites has static public ip, then only ezvpn is feasible.