Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco 1720 router to Cisco 515 PIX

Status
Not open for further replies.
r31ss

r31ss

MIS
Feb 1, 2002
6
0
0
GB
Currently have 7 worldwide site based on a 10.x.x.x network.
1720 router with two Ethernet ports, NAT used on external interfaces, (small subnet allocated from building management) Router is managed service in each location.

I've used the PIXscript (excellent util!) to create the PIX config, using a variety of tech tips from Cisco I've hashed together a router config at the remote sites.

From the main site I cannot access the remote LAN, can telnet from main site to remote sites but no further any help in config tips/examples etc would be much appreciated.

regards
r31ss
 
Sort by date Sort by votes
HI.

You can browse networks via VPN tunnels if you configure name resolution properly and open related ports.
BUT, It is not always required or recommend.
VPN is a security risk by itself, so in many cases you can limit VPN traffic only to the minimun needed known servers and ports.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Are we talking about a router config or a PIX config??

You said that you "cannot access the remote LAN" but then said that you can "telnet from main site to remote sites". What exactly are you trying to telnet to .. the router, PIX, server?? You also say that you're doing NAT on the router! If you have a PIX you should be doing the NAT on that and not on the router!

Could you give us clearer details to exactly what you have got, what you are trying to do and what's not working?

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
 
Upvote 0 Downvote
How are the remote sites connected? VPN, frame relay, leased line?

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
 
Upvote 0 Downvote
Okay

Pix at central site provide NAT for 192.x.x.x network, Pix is connected to a managed service router on a 62.254.x.x ip subnet.
VPN is leased lines from managed service provider.

Other sites are on the 10.10.x.x network, a cisco 1720 router with 2 ethernet ports exists to connect the 10.10.x.x network to the managed service network - various ip subnets allocated. there is NAT on the 1720 to translate private to public - ie small sunet provided from managed service.

There are various NT/citrix servers on these sites to which access is required.

IPSEC with ISAKMP for encryption.

eg 1 site:


ws---pix---router---internet---router---1720---ws

192.168.x.x/24 - 62.254.x.x/28 - 213.46.x.x/30 - 10.10.x.x/24


ws- workstation
pix- pix 515
router-managed service router
internet-internet
1720-cisco1720 2 ethernet ports

I've been following cisco cookbook -

Hope this helps
 
Upvote 0 Downvote
Right. That's more like it!

So, is the problem with the VPN link between your sites? You can telnet into the remote but not access the network behind it right??

Sounds like your VPN isn't set up right. You will be able to access the router over the internet, sans VPN, but you will need to set the VPN up so that you have seamless network connections between your sites. What are you using for the VPN server and clients. It might be worth putting a PIX at each site and doing a PIX to PIX VPN.

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
 
Upvote 0 Downvote
Yes pix 2 pix would be the solution, however configuration stays as is.

Require router config for 1720 using ipsec/isakmp. AS does the PIX. I've used the PIX Script tool to configure the pix. From books, cisco cookbooks, forums - pix config seems to be okay, I'm concerned over the router config, although it looks okay.

Do I need acl's or should I be able to browse from central networks to remote using the Encrypted VPN.

I'm slowly losing sleep/hair/weight trying to solve it.
Any input greatly accepted.
 
Upvote 0 Downvote
It's hard to solve this kind of problem without seeing exactly what's going on.

I would suggest that Yizar is the man for this one!

YIZAR!!!!Are you out there man?? ************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
 
Upvote 0 Downvote
HI.

Once again, I think that browsing is your last concern, and should be handled only after verifying that basic TCP/IP services to known internal ip addresses is working.

Is ICA working to your CITRIX servers?
Can you run http/ftp/telnet or other services through the VPN?
If you configure LMHOSTS on your test workstation with name resolution to a remote NT server, can you access it?
What do you mean by the term "managed router"?

If TCP/IP is working fine and you need MS browsing, then all is left is to use WINS/DNS/LMHOSTS/HOSTS etc..

I don't know much about IPSec on the routers, but if you need more info please provide here the relevant config of pix and one of the routers.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
146
Sameer258
Sameer258
MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
109
MottoK
MottoK
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
150
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
161
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
127
AllenH12
AllenH12

Part and Inventory Search

Sponsor

Back
Top