Re: Can't get beyond Router

majunior882 · ‎01-12-2005

I have a Cisco 2621 router connected to a PIX 515 firewall. The computers connected to the firewall can ping the port on the router that the firewall is connected to, but cant go beyond that. Here are my configs:

Router (Cisco 2621)

!

username xxxx password 0 xxxx

ip subnet-zero

!

ip name-server x.x.x.x

!

vpdn enable

vpdn logging

vpdn logging user

!

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration address-pool local group1

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0/0

ip address 172.16.4.65 255.255.255.192

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 64.45.175.ccc 255.255.255.xxx secondary

ip address 64.45.175.ddd 255.255.255.xxx

ip nat outside

speed auto

half-duplex

!

interface Virtual-Template1

ip unnumbered FastEthernet0/1

no keepalive

peer default ip address pool group1

ppp encrypt mppe auto required

ppp authentication ms-chap

!

ip local pool group1 172.16.4.6 172.16.4.30

ip default-gateway 69.45.175.xxx

ip nat inside source list 102 interface FastEthernet0/1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 64.45.175.xxx

ip http server

!

ip access-list extended LAN

permit ip host 172.16.4.224 host 64.45.175.ddd

permit ip host 172.16.4.232 host 64.45.175.ccc

permit ip host 172.16.4.244 host 64.45.175.bbb

permit ip host 172.16.4.247 host 64.45.175.aaa

access-list 102 permit ip 172.16.0.0 0.0.255.255 any

access-list 102 permit tcp 172.16.0.0 0.0.255.255 any

access-list 102 permit tcp any eq domain any

PIX 515:

nameif ethernet0 outside security0

nameif ethernet1 secnetwork security30

nameif ethernet2 prinetwork security10

nameif ethernet3 slavenetwork security20

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list acl_out permit tcp any any eq telnet

access-list acl_out permit udp any any eq 23

access-list acl_prinetwork permit icmp any any

access-list acl_prinetwork permit tcp any any eq telnet

access-list acl_prinetwork permit udp any any eq 23

access-list 1 permit ip 172.16.4.64 255.255.255.192 172.16.5.0 255.255.255.192

access-list acl_slavenetwork permit udp any any eq dnsix

pager lines 24

icmp permit any outside

icmp permit any secnetwork

icmp permit any prinetwork

icmp permit any slavenetwork

mtu outside 1500

mtu secnetwork 1500

mtu prinetwork 1500

mtu slavenetwork 1500

ip address outside 172.16.4.66 255.255.255.192

ip address secnetwork 172.16.4.193 255.255.255.192

ip address prinetwork 172.16.5.1 255.255.255.192

no ip address slavenetwork

pdm history enable

arp timeout 14400

global (outside) 1 172.16.5.0

static (prinetwork,outside) 172.16.5.0 172.16.5.0 netmask 255.255.255.192 0 0

conduit permit ip host 172.16.5.0 any

conduit permit tcp host 172.16.5.0 any

conduit permit udp host 172.16.5.0 any

conduit permit icmp host 172.16.5.0 any

conduit permit icmp host 172.16.5.3 any

route outside 0.0.0.0 0.0.0.0 172.16.4.65 1

route prinetwork 64.45.175.xxx 255.255.255.xxx 172.16.5.1 1

Would I need a routing protocol, although I am not routing with multiple routers? and if so, which protocol would the PIX like, RIP, OSPF, IGRP?

cdfowlie · ‎01-12-2005

As a first step, I'd ensure that you have proper routing in place on your 2621 back to your primary and secondary LAN letworks. (This wouldn't be the case with your default configuration)

ip route 172.16.4.192 255.255.255.192 172.16.4.66

ip route 172.16.5.0 255.255.255.192 172.16.4.66

Also, before the secondary network will be able to get anywhere, you'll either need a nat(0) statement or a static in place for 172.16.5.0/26 on the PIX

i.e.

static (secnetwork,outside) 172.16.4.192 172.16.4.192 netmask 255.255.255.192

Hope this gives you a start.

-Colin

majunior882 · ‎01-12-2005

Thank you, I figured it would be a routing issue, I just wasn't sure how to set it up.

If you have the time, could you sort of explain it to me. I am at a CCNA lvl, so I haven't been tought awhole lot, but I understand the reason behind the static command in the firewall, but I don't get why the ip route was needed. I could reach the router interface without it, so why did I have to set a route to it also.

I am not trying to do anything but understand, this is in no way questioning your help or anything like that.

cdfowlie · ‎01-12-2005

No worries! My first question is: did this fix your issue?

You basically have to break down your network topology. You have 5 networks to account for not including your secondary:

1) The world outside (0.0.0.0/0)

2) From your router to your service provider (64.45.175.x/x)

3) Between your router and your PIX (172.16.4.64/26)

4) Your Primary LAN (172.16.5.0/26)

5) Your Secondary LAN (172.16.4.192/26)

As you had it configured, your router knows about network 1 with your default route statement. The router knows about networks 2 and 3 as connected networks. You need to tell it how to get to networks 4 and 5, otherwise it will send it out towards the Internet. I'm a little confused as to how you were actually pinging the router interface without those routes in there, it shouldn't have worked, so I can understand the confusion. Might it have been the Pix IP on the outside subnet?

-Colin

majunior882 · ‎01-12-2005

Yes, it did work, I am actually online through it now.

Thank you for the clear up, I think I know what the deal was possibly. The PIX automatically, because it was on the same network, was able to see the router through the outside interface. Since I didn't actually turn on the icmp, I was relying on the debug on the PIX to tell me how the data was flowing. So basically, the PIX and the connected networks could see the router, they just couldn't route to it until I had that route command.

Also, while I have your help, I have set the router up as a vpn server. It works and all, but I need it to go to a particular networks off the PIX. I tried the route commands and the static commands, but still not.

I think it is because the ip pool gives the vpn client a 32-bit subnet and everything else is on a different subnet.

How would I go about making this work. Basically I want the vpn client to be able to access machines on the 172.16.5.0 network, including the ability to telnet and such to those machines.

cdfowlie · ‎01-12-2005

I think that perhaps your conduits are not doing quite what you think they are. Your logic appears to be backwards. The conduits should be looked at from an Outside-Inside perspective.

So to get the VPN clients accessing the hosts in the 172.16.5.0/26 subnet the following should do the trick:

conduit permit ip 172.16.4.0 255.255.255.224 172.16.5.0 255.255.255.192

It is no longer considered best practice to apply conduits on the Pix. You can use access-lists much like the router. To do this, you could remove your conduits (as they aren't really doing anything with the backwards logic) and do the following:

access-list outside_in permit ip 172.16.4.0 255.255.255.224 172.16.5.0 255.255.255.192

access-group outside_in in interface outside

You may also need to modify ACL 102 on the router to prevent NATing of the VPN traffic so it would look like this:

access-list 102 deny ip 172.16.0.0 0.0.255.255 172.16.4.0 0.0.0.31

access-list 102 permit ip 172.16.0.0 0.0.255.255 any

access-list 102 permit tcp any eq domain any

That may be all you need if the clients are already working for you.

-Colin

majunior882 · ‎01-12-2005

Still no go. It is like how it was with the network hitting the router but nothing beyond. The client can ping the firewall port but nothing else. I can ping them just fine with both the firewall and the router.

cdfowlie · ‎01-19-2005

Are you still having this issue? If you resend the configs as they are now, I can have another look to see what we might have missed.