Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations sizbut on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco PIX Configuration Problem

Status
Not open for further replies.
kallol2002

kallol2002

Vendor
Apr 24, 2003
1
BD
Dear,

Let me explain the senario. I have four location. We
are going to implement four PIX at four location. We
are using 501 for branch and 515E for head office.

Location A B C D

location A,B & D are branch and C is Head Office

We can connect B to C and D to C. But we cannot
connect B to D. B is connecting D via C that means B
is coming to C and then go to D. We did not try A yet.


We have created VPN from B to C, D to C & B to D

B to C and D to C are working fine. As B to D is
connecting via C we are facing problem. We can ping
from outer interface of B to outer interface of D and
vice versa. But cannot ping iner network to iner
network.

Is there anything extra required for connecting B to
D?

I am attaching configuration steps which we have
done in our PIX's.

I am waiting for your quick response.

Tks
Salman


Cisco PIX configuration

(Head Office) C


Step I


1) Initial configuration through Interactive Prompt

Enable Password : ******
Clock :
Inside IP Address : 10.20.0.254
Mask : 255.255.255.0
Host Name : PBBHO
Domain Name : intra.bracbank.com
IP of PDM Host : 10.20.0.x


2) Configuring PIX through PDM

To start PDM you have to start Internet Explorer or Netscape and type (Inside Interface IP)

Speed : Auto
Outside IP Address & Mask : 192.168.97.1 255.255.255.0

interface e0 auto (Wizard)
interface e1 auto (Wizard)

nameif e0 outside security0 (Wizard)
nameif e1 inside security100 (Wizard)

nat (inside) 0 0 : Do not translate


3) Configuring the PIX Firewall for routing

[clear arp]

route outside 10.20.31.0 255.255.255.0 192.168.97.31
route outside 10.20.32.0 255.255.255.0 192.168.97.32
route outside 10.20.21.0 255.255.255.0 192.168.97.21


4) Saving configuration

write memory

[write terminal]




Step II

1) Allowing inbound connections

access-list 110 permit ip 10.20.0.0 255.255.255.0 10.20.31.0 255.255.255.0
access-list 110 permit ip 10.20.0.0 255.255.255.0 10.20.32.0 255.255.255.0
access-list 110 permit ip 10.20.0.0 255.255.255.0 10.20.21.0 255.255.255.0

access-group 110 in interface outside


2) Controlling outbound connectivity

No restriction on outbound connection


3) Testing connectivity

[ping x.x.x.x]



Step III

1) VPN Configuration through PDM VPN wizard

Type of VPN : Site to Site
Interface on which the VPN will be enabled : Outside

Peer IP Address : 192.168.97.31 / 192.168.97.32 / 192.168.97.21
Authentication (Pre-shared Keys) : xxxxx

Local Host/Networks Interface : inside
Local Host/Networks IP Address : 10.20.0.0
Local Host/Networks Mask : 255.255.255.0

Remote Host/Networks Interface : Outside
Remote Host/Networks IP Address : 10.20.31.0 / 10.20.32.0 / 10.20.21.0
Remote Host/Networks Mask : 255.255.255.0


2) Save configuration to flash


Step IV


1) Remotely use PDM

Assign IP address of the remote PDM host in PDM


2) Using SSH

Install PUTTY

3) Remotely save configuration to TFTP server

Assign IP address of the network’s TFTP server


4) Using SNMP

Configure SNMP in PDM
Install SNMP software


5) Locally use Syslog Server

Configure syslog in PDM
Install Syslog server




Branch A


Step I


1) Initial configuration through Interactive Prompt

Enable Password : ******
Clock :
Inside IP Address : 10.20.31.254
Mask : 255.255.255.0
Host Name : PBBSyB
Domain Name : intra.bracbank.com
IP of PDM Host : 10.20.31.x


2) Configuring PIX through PDM

To start PDM you have to start Internet Explorer or Netscape and type (Inside Interface IP)

Speed : Auto
Outside IP Address & Mask : 192.168.97.31 255.255.255.0

interface e0 auto (Wizard)
interface e1 auto (Wizard)

nameif e0 outside security0 (Wizard)
nameif e1 inside security100 (Wizard)

nat (inside) 0 0 : Do not translate


3) Configuring the PIX Firewall for routing

[clear arp]

route outside 10.20.0.0 255.255.255.0 192.168.97.1
route outside 10.20.32.0 255.255.255.0 192.168.97.32
route outside 10.20.21.0 255.255.255.0 192.168.97.21


4) Saving configuration

write memory

[write terminal]




Step II

1) Allowing inbound connections

access-list 110 permit ip 10.20.31.0 255.255.255.0 10.20.0.0 255.255.255.0
access-list 110 permit ip 10.20.31.0 255.255.255.0 10.20.32.0 255.255.255.0
access-list 110 permit ip 10.20.31.0 255.255.255.0 10.20.21.0 255.255.255.0

access-group 110 in interface outside


2) Controlling outbound connectivity

No restriction on outbound connection


3) Testing connectivity

[ping x.x.x.x]



Step III

1) VPN Configuration through PDM VPN wizard

Type of VPN : Site to Site
Interface on which the VPN will be enabled : Outside

Peer IP Address : 192.168.97.1 / 192.168.97.32 / 192.168.97.21
Authentication (Pre-shared Keys) : xxxxx

Local Host/Networks Interface : inside
Local Host/Networks IP Address : 10.20.31.0
Local Host/Networks Mask : 255.255.255.0

Remote Host/Networks Interface : Outside
Remote Host/Networks IP Address : 10.20.0.0 / 10.20.32.0 / 10.20.21.0
Remote Host/Networks Mask : 255.255.255.0


2) Save configuration to flash


Step IV


1) Remotely use PDM

Assign IP address of the remote PDM host in PDM


2) Using SSH

Install PUTTY

3) Remotely save configuration to TFTP server

Assign IP address of the network’s TFTP server


4) Using SNMP

Configure SNMP in PDM
Install SNMP software


5) Locally use Syslog Server

Configure syslog in PDM
Install Syslog server


Branch B


Step I


1) Initial configuration through Interactive Prompt

Enable Password : ******
Clock :
Inside IP Address : 10.20.32.254
Mask : 255.255.255.0
Host Name : PBBSyZ
Domain Name : intra.bracbank.com
IP of PDM Host : 10.20.32.x


2) Configuring PIX through PDM

To start PDM you have to start Internet Explorer or Netscape and type (Inside Interface IP)

Speed : Auto
Outside IP Address & Mask : 192.168.97.32 255.255.255.0

interface e0 auto (Wizard)
interface e1 auto (Wizard)

nameif e0 outside security0 (Wizard)
nameif e1 inside security100 (Wizard)

nat (inside) 0 0 : Do not translate


3) Configuring the PIX Firewall for routing

[clear arp]

route outside 10.20.31.0 255.255.255.0 192.168.97.31
route outside 10.20.0.0 255.255.255.0 192.168.97.1
route outside 10.20.21.0 255.255.255.0 192.168.97.21


4) Saving configuration

write memory

[write terminal]




Step II

1) Allowing inbound connections

access-list 110 permit ip 10.20.32.0 255.255.255.0 10.20.31.0 255.255.255.0
access-list 110 permit ip 10.20.32.0 255.255.255.0 10.20.0.0 255.255.255.0
access-list 110 permit ip 10.20.32.0 255.255.255.0 10.20.21.0 255.255.255.0

access-group 110 in interface outside


2) Controlling outbound connectivity

No restriction on outbound connection


3) Testing connectivity

[ping x.x.x.x]



Step III

1) VPN Configuration through PDM VPN wizard

Type of VPN : Site to Site
Interface on which the VPN will be enabled : Outside

Peer IP Address : 192.168.97.31 / 192.168.97.1 / 192.168.97.21
Authentication (Pre-shared Keys) : xxxxx

Local Host/Networks Interface : inside
Local Host/Networks IP Address : 10.20.32.0
Local Host/Networks Mask : 255.255.255.0

Remote Host/Networks Interface : Outside
Remote Host/Networks IP Address : 10.20.31.0 / 10.20.0.0 / 10.20.21.0
Remote Host/Networks Mask : 255.255.255.0


2) Save configuration to flash


Step IV


1) Remotely use PDM

Assign IP address of the remote PDM host in PDM


2) Using SSH

Install PUTTY

3) Remotely save configuration to TFTP server

Assign IP address of the network’s TFTP server


4) Using SNMP

Configure SNMP in PDM
Install SNMP software


5) Locally use Syslog Server

Configure syslog in PDM
Install Syslog server

Branch D


Step I


1) Initial configuration through Interactive Prompt

Enable Password : ******
Clock :
Inside IP Address : 10.20.21.254
Mask : 255.255.255.0
Host Name : PBBChA
Domain Name : intra.bracbank.com
IP of PDM Host : 10.20.21.x


2) Configuring PIX through PDM

To start PDM you have to start Internet Explorer or Netscape and type (Inside Interface IP)

Speed : Auto
Outside IP Address & Mask : 192.168.97.21 255.255.255.0

interface e0 auto (Wizard)
interface e1 auto (Wizard)

nameif e0 outside security0 (Wizard)
nameif e1 inside security100 (Wizard)

nat (inside) 0 0 : Do not translate


3) Configuring the PIX Firewall for routing

[clear arp]

route outside 10.20.31.0 255.255.255.0 192.168.97.31
route outside 10.20.32.0 255.255.255.0 192.168.97.32
route outside 10.20.0.0 255.255.255.0 192.168.97.1


4) Saving configuration

write memory

[write terminal]




Step II

1) Allowing inbound connections

access-list 110 permit ip 10.20.21.0 255.255.255.0 10.20.31.0 255.255.255.0
access-list 110 permit ip 10.20.21.0 255.255.255.0 10.20.32.0 255.255.255.0
access-list 110 permit ip 10.20.21.0 255.255.255.0 10.20.0.0 255.255.255.0

access-group 110 in interface outside


2) Controlling outbound connectivity

No restriction on outbound connection


3) Testing connectivity

[ping x.x.x.x]



Step III

1) VPN Configuration through PDM VPN wizard

Type of VPN : Site to Site
Interface on which the VPN will be enabled : Outside

Peer IP Address : 192.168.97.31 / 192.168.97.32 / 192.168.97.1
Authentication (Pre-shared Keys) : xxxxx

Local Host/Networks Interface : inside
Local Host/Networks IP Address : 10.20.21.0
Local Host/Networks Mask : 255.255.255.0

Remote Host/Networks Interface : Outside
Remote Host/Networks IP Address : 10.20.31.0 / 10.20.32.0 / 10.20.0.0
Remote Host/Networks Mask : 255.255.255.0


2) Save configuration to flash


Step IV


1) Remotely use PDM

Assign IP address of the remote PDM host in PDM


2) Using SSH

Install PUTTY

3) Remotely save configuration to TFTP server

Assign IP address of the network’s TFTP server


4) Using SNMP

Configure SNMP in PDM
Install SNMP software


5) Locally use Syslog Server

Configure syslog in PDM
Install Syslog server
 
Sort by date Sort by votes
HI.

That is a very detailed question (good), but still some info and notes are missing:
It seems like you are building a test lab with "192.168.97.0" simulating the Internet cloud, and then you'll deploy the real thing with each pix placed behind a router in different phisical locations.
Is this correct?
Or is this going to be some kind of VPN inside your own intranet and not using the public Internet?
What will be the connection type to ISP of the branch offices?
Will each pix 501 get a registered IP address in the real world?

*****

> We can connect B to C and D to C. But we cannot
connect B to D ...
First - ask your self, what is the goal here.
Do you realy need direct connection between B and D, assuming that all servers are in C (main office)?
If the answer is "No, actually I don't need this", then the solution will be simplier.
If the answer is "Well, I need some type of connectivity between branches, for example printing" - then the solution can be either VPN between branches, or for printing - a print server at the main office. Print jobs will be sent between branches via the main site. Similar solutions can be used for file transfer (shared folders or FTP server at main site).
If the answer is "Yes, I need full transparent connectivity between branches" - then the solution is simply to establish site to site VPN between branches, in addition and same way as "branch to main".

*****

Take a look here before you continue:
You'll be most interested in the samples under the title "VPN (ipsec) PIX to PIX":
"Fully meshed" versus "Hub and Spoke"

You can also use my free pixcript tool, to generate a sample VPN scenario and compare it to what you alread have:

Don't get me wrong - using PDM for establishing the VPN configuration is good and I recommend it (I also use PDM as my first choice). I just suggest looking at the other samples (Cisco samples and pixcript output) as a reference to compare with what you have done.

*****

Here are some notes regarding the lab setup you currently have:
> (Head Office) C
> route outside 10.20.31.0 255.255.255.0 192.168.97.31
> route outside 10.20.32.0 255.255.255.0 192.168.97.32
> route outside 10.20.21.0 255.255.255.0 192.168.97.21
No need for these.
Since you are going to use VPN, the pix does not need and should not have a route to the private addresses in the other networks.
These will be done with crypto map access lists instead.

> 1) Allowing inbound connections
> access-list 110 permit ip 10.20.0.0 255.255.255.0 10.20.31.0 255.255.255.0
> access-list 110 permit ip 10.20.0.0 255.255.255.0 10.20.32.0 255.255.255.0
> access-list 110 permit ip 10.20.0.0 255.255.255.0 10.20.21.0 255.255.255.0
> access-group 110 in interface outside
No need for the above statements also.
These will be also done using crypto map access lists, in addition to "sysopt connection permit-ipsec".

> 5) Locally use Syslog Server
> Configure syslog in PDM
> Install Syslog server
Very good.
You should use syslog messages as one of the first things to look at when things go wrong, and also when everything is working fine.

Bye


Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
519
MottoK
MottoK
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
636
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
692
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
329
AllenH12
AllenH12
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
175
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top