Hey all, Ok, here is the situati

[TheStressFactor]

Hey all,

Ok, here is the situation. 3 sites-Central, remote 1, and remote 2. The two sites have cisco 2611 routers that connect to our cisco 3640 router via frame relay. Behind the router is a cisco 515e. Central works fine...can access the internet, mail and all that good stuff. My two remote sites cannout access the internet. When I pc anywhere to one of there machines and traceroute to

http://www.yahoo.com

it dies at our router. Is the router not properly apssing traffice to pix? or am i missing something here...how can i get my remote sites to access the internet? Below are my configs of each router.


Cisco 3640 Config-Main Site

Building configuration...

Current configuration : 3961 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
no service dhcp
!
hostname Marinoware_NJ
!
boot system flash:c3640-is-mz.121-5.T8.bin
logging rate-limit console 10 except errors
enable password network
!
ip subnet-zero
!
!
no ip finger
ip domain-name alter.net
!
!
class-map match-all c-voice
match ip precedence 5
!
!
policy-map p-egress
class c-voice
priority 128
!
call rsvp-sync
voice rtp send-recv
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description To Office Ethernet
ip address 63.102.156.65 255.255.255.240
duplex auto
speed auto
!
interface Serial0/0
description To UUNET (wcomw0c23065)
bandwidth 1536
no ip address
encapsulation frame-relay IETF
no fair-queue
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
bandwidth 1536
ip address 157.130.255.34 255.255.255.252
frame-relay interface-dlci 500 IETF
!
interface FastEthernet0/1
ip address 192.168.3.6 255.255.255.0
duplex auto
speed auto
h323-gateway voip bind srcaddr 192.168.3.6
!
interface Serial0/1
no ip address
no fair-queue
!
interface Serial3/0
description To Delanco (WOE92789)
no ip address
encapsulation frame-relay
service-policy output p-egress
service-module t1 timeslots 1-8
service-module t1 remote-alarm-enable
!
interface Serial3/0.100 point-to-point
description PVC to DELANCO
bandwidth 256
ip address 192.168.4.1 255.255.255.0
frame-relay interface-dlci 100
class mclass-voice
frame-relay ip rtp header-compression passive
!
interface Serial3/0.102 point-to-point
description PVC to NEW YORK
bandwidth 128
ip address 192.168.1.3 255.255.255.0
frame-relay interface-dlci 102
class mclass128-voice
frame-relay ip rtp header-compression passive
!
router rip
network 192.168.1.0
network 192.168.3.0
network 192.168.4.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
no ip http server
!
!
map-class frame-relay mclass-voice
no frame-relay adaptive-shaping
frame-relay cir 256000
frame-relay bc 300
frame-relay be 0
frame-relay mincir 256000
frame-relay fair-queue
frame-relay fragment 200
frame-relay ip rtp priority 16384 16383 45
!
map-class frame-relay mclass128-voice
no frame-relay adaptive-shaping
frame-relay cir 128000
frame-relay bc 128000
frame-relay be 0
frame-relay mincir 128000
frame-relay fair-queue
frame-relay fragment 160
frame-relay ip rtp priority 16384 16383 45
access-list 100 permit tcp any any established
snmp-server engineID local 00000009020000024B0EADE0
snmp-server community 181d4b22b2 RO
snmp-server community network RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
!
voice-port 1/0/0
no comfort-noise
description FXO for Calls TO the PBX
!
voice-port 1/0/1
no comfort-noise
description FXO for Calls TO the PBX
!
voice-port 1/1/0
no comfort-noise
description FXS for calls FROM the PBX
!
voice-port 1/1/1
no comfort-noise
description FXS for calls FROM the PBX
!
dial-peer cor custom
!
!
!
dial-peer voice 200 voip
destination-pattern 21.
session target ipv4:192.168.3.8
ip precedence 5
no vad
!
dial-peer voice 201 voip
destination-pattern 22.
session target ipv4:192.168.3.8
ip precedence 5
no vad
!
dial-peer voice 202 voip
destination-pattern 23.
session target ipv4:192.168.3.8
ip precedence 5
no vad
!
dial-peer voice 300 voip
destination-pattern 20.
session target ipv4:192.168.1.2
dtmf-relay cisco-rtp
codec g711ulaw
ip precedence 5
no vad
!
dial-peer voice 500 pots
destination-pattern 3..
no digit-strip
port 1/0/0
!
dial-peer voice 501 pots
destination-pattern 3..
no digit-strip
port 1/0/1
!
dial-peer voice 502 pots
destination-pattern 298
no digit-strip
port 1/0/0
!
dial-peer voice 503 pots
destination-pattern 298
no digit-strip
port 1/0/1
!
!
line con 0
transport input none
line aux 0
line vty 0 4
password network
login
!
end


Cisco 2611 Remote 1 Config

Building configuration...

Current configuration : 2542 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Marinoware_NY
!
boot system flash c2600-is-mz.122-6a.bin
no logging console
enable secret 5 $1$Rh03$JvEEatsrh8ihkNHCIkchd/
enable password Network
!
ip subnet-zero
!
!
!
!
class-map match-all c-voice
match ip precedence 5
!
!
policy-map p-egress
class c-voice
priority 180
policy-map ike
!
call rsvp-sync
voice rtp send-recv
!
!
!
!
!
!
!
!
interface Ethernet0/0
ip address 192.168.0.1 255.255.255.0
half-duplex
!
interface Serial0/0
description (Cir#W0f70623)
bandwidth 256
no ip address
encapsulation frame-relay
no ip mroute-cache
service-policy output p-egress
service-module t1 timeslots 1-4
cdp enable
!
interface Serial0/0.1 point-to-point
description TO South Plainfield
bandwidth 256
ip address 192.168.1.2 255.255.255.0
no arp frame-relay
frame-relay interface-dlci 100
class mclass-voice
frame-relay ip rtp header-compression
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
router rip
redistribute connected
network 192.168.0.0
network 192.168.1.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.3
no ip http server
ip pim bidir-enable
!
!
map-class frame-relay mclass-voice
no frame-relay adaptive-shaping
frame-relay cir 128000
frame-relay bc 128000
frame-relay be 0
frame-relay mincir 128000
frame-relay fair-queue
frame-relay fragment 160
frame-relay ip rtp priority 16384 16383 45
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
snmp-server engineID local 00000009020000024B0EAC80
snmp-server community public RO
!
voice-port 1/0/0
!
voice-port 1/0/1
!
dial-peer cor custom
!
!
!
dial-peer voice 3 voip
destination-pattern 21.
session target ipv4:192.168.7.2
ip precedence 5
no vad
!
dial-peer voice 4 voip
destination-pattern 3..
session target ipv4:192.168.1.3
dtmf-relay cisco-rtp
codec g711ulaw
ip precedence 5
no vad
!
dial-peer voice 1 pots
destination-pattern 203
port 1/0/0
!
dial-peer voice 5 voip
destination-pattern 22.
session target ipv4:192.168.7.2
ip precedence 5
no vad
!
dial-peer voice 500 pots
destination-pattern 204
port 1/0/0
!
dial-peer voice 2 pots
preference 2
destination-pattern 204
port 1/0/1
!
dial-peer voice 6 voip
destination-pattern 298
session target ipv4:192.168.1.3
ip precedence 5
no vad
!
dial-peer voice 7 pots
preference 2
destination-pattern 203
port 1/0/1
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password network
login
!
end

Cisco 2611 Router-Remote 2

Current configuration : 3073 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Delanco_NJ
!
boot system flash c2600-is-mz.121-5.YD1.bin
logging rate-limit console 10 except errors
enable secret 5 $1$1Crp$oCFTCqyGLONuDAXm0kfX71
!
!
!
ip subnet-zero
!
!
no ip finger
ip domain-name alter.net
!
!
class-map match-all c-voice
match ip precedence 5
!
!
policy-map p-egress
class c-voice
priority 180
!
voice rtp send-recv
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
description h323-gateway voip bind srcaddr 192.168.5.2 statement removed
ip address 192.168.5.2 255.255.255.0
full-duplex
!
interface Serial0/0
bandwidth 256
no ip address
encapsulation frame-relay
service-policy output p-egress
!
interface Serial0/0.1 point-to-point
description Frame-Relay Link to South Plainfield
bandwidth 256
ip address 192.168.4.2 255.255.255.0
frame-relay interface-dlci 101
class mclass-voice
frame-relay ip rtp header-compression
!
interface Ethernet0/1
no ip address
half-duplex
!
router rip
network 192.168.4.0
network 192.168.5.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.4.1
ip route 192.168.0.0 255.255.255.0 192.168.4.1
no ip http server
!
!
map-class frame-relay mclass-voice
no frame-relay adaptive-shaping
frame-relay cir 256000
frame-relay bc 300
frame-relay be 0
frame-relay mincir 256000
frame-relay fair-queue
frame-relay fragment 200
frame-relay ip rtp priority 16384 16383 45
access-list 100 permit icmp any any
access-list 100 permit tcp any any established
access-list 100 permit ip any any
!
!
snmp-server engineID local 00000009020000024B0EADE0
snmp-server community 181d4b22b2 RO
snmp-server community network RO
snmp-server packetsize 4096
snmp-server enable traps snmp authentication linkdown linkup coldstart
call rsvp-sync
!
voice-port 1/0/0
connection plar opx 210
description Inbound-Outbound Local Calling
!
voice-port 1/0/1
connection plar opx 210
description Inbound-Outbound Local Calling
!
voice-port 1/1/0
connection plar opx 210
description Inbound-Outbound Local Calling
!
voice-port 1/1/1
connection plar opx 210
description Inbound-Outbound Local Calling
!
mgcp modem passthrough voip mode ca
no mgcp timer receive-rtcp
!
mgcp profile default
!
dial-peer cor custom
!
!
!
dial-peer voice 100 pots
preference 1
destination-pattern ...........
port 1/0/0
!
dial-peer voice 101 pots
preference 2
destination-pattern ...........
port 1/0/1
!
dial-peer voice 102 pots
preference 3
destination-pattern ...........
port 1/1/0
!
dial-peer voice 103 pots
preference 4
destination-pattern ...........
port 1/1/1
!
dial-peer voice 401 voip
destination-pattern 210
session target ipv4:192.168.3.8
dtmf-relay h245-alphanumeric
codec g711ulaw
ip precedence 5
no vad
!
!
call-manager-fallback
ip source-address 192.168.5.2 port 2000
max-ephones 24
max-dn 48
default-destination 210
access-code fxo 9
!
!
line con 0
transport input none
line aux 0
line vty 0 4
password network
login
!
no scheduler allocate
end

 

[dnels]

Off of what interface is the PIX located? And I am assuming it is a web-proxy in all the browsers at the remote office?
Does the Pix have the routes to the remote offices?

Dave

 

[TheStressFactor]

here is my pix config...i do not have it set-up as a web proxy..is this something I need to do to allow this work?

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password 7DeygvHKjBuxNxrP encrypted
passwd 0fTucaWSYztRT69N encrypted
hostname marinofw1
domain-name marinoware.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list nonat permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.77.0 255.255.255.

access-list nonat permit ip 192.168.77.0 255.255.255.0 192.168.3.0 255.255.255.

access-list split permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list tunnel permit ip 192.168.3.0 255.255.255.0 192.168.77.0 255.255.255
0
access-list tunnel permit ip 192.168.77.0 255.255.255.0 192.168.3.0 255.255.255
0
access-list outside permit tcp any host x.x.x.67 eq smtp
access-list outside permit icmp any any
pager lines 24
interface ethernet0 100basetx
interface ethernet1 100basetx
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside x.x.x.67 255.255.255.240
ip address inside 192.168.3.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.1.1-10.1.1.50
pdm location 192.168.0.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.3.2 255.255.255.255 inside
pdm location 192.168.4.0 255.255.255.0 inside
pdm location 192.168.5.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 192.168.4.0 255.255.255.0 0 0
nat (inside) 1 192.168.5.0 255.255.255.0 0 0
static (inside,outside) tcp x.x.x.67 smtp 192.168.3.2 smtp netmask 255.255
255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
route inside 192.168.0.0 255.255.255.0 192.168.3.6 1
route inside 192.168.1.0 255.255.255.0 192.168.3.6 1
route inside 192.168.4.0 255.255.255.0 192.168.3.6 1
route inside 192.168.5.0 255.255.255.0 192.168.3.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 s
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set pixtransform esp-3des esp-sha-hmac
crypto ipsec transform-set marinohome esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set marinohome
crypto map testmap 10 ipsec-isakmp
crypto map testmap 10 match address tunnel
crypto map testmap 10 set peer x.x.x.83
crypto map testmap 10 set transform-set pixtransform
crypto map testmap 10 set security-association lifetime seconds 3600 kilobytes
192
crypto map testmap 999 ipsec-isakmp dynamic dynmap
crypto map testmap interface outside
crypto map marinohome 10 ipsec-isakmp dynamic dynmap
isakmp enable outside
isakmp key ************ address x.x.x.83 netmask 255.255.255.248
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup marino address-pool ippool
vpngroup marino dns-server 192.168.3.7
vpngroup marino wins-server 192.168.3.7
vpngroup marino default-domain marinoware.com
vpngroup marino split-tunnel split
vpngroup marino idle-time 2000
vpngroup marino password ***********
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
terminal width 80

 

[dnels]

Your default route on the 3640 points out the serial interface. If you have not set up the PIX as a proxy,

http://www.yahoo.com

is reolving to 64.58.76.178. This will get routed out your serial interface, not to your PIX. Unless your service provider is routing your internal address for you. There is no way for the frame to get back to you. the outside interface on your PIX is on the F0/0 interface of your 3600. I am assuming there is another router hanging off that network. Where does that default route point. To the firewall? That would explain how he local users work, which was my biggest question on this config.

Dave

 

[TheStressFactor]

Hi Dave...the users at the central office where the internet works are using the internal ip of the PIX as there default gateway. The only router I have is the cisco 3640 in fornt of the pic and the two 2611 at the remote sites...hope that info helps...

Patrick

 

[dnels]

Patrick,

What you have is a catch-22 situation. You need the default route in your 3640 to route the outside of your firewall to the Internet. This also causes any requests from the remote sites to bypass the firewall. You will need to use the firewall as your web-proxy for your remote users. You really should consider adding a router specifically for terminating your ISP connection. This would add a lot more security in your network and simplify routing to/from the internet.

Dave

 

[TheStressFactor]

Dave,

Thank you so much on shedding some light on this. So I would need to delete the 0.0.0.0 0.0.0.0 serial 0/0.1 and put in a route for 0.0.0.0 0.0.0.0 x.x.x.67? Also, do you know how complicated it is to set-up web proxy on the pix or where I can find the proper syntax to do this? Any help you can provide would be great...thank you so much for the help you have given already.

Patrick

 

[dnels]

Patrick,

The problem is if you change the default router to point there you will end up sending your requests to your outside interface on the PIX, and probably end up with a nasty loop. Pix to router, router to Pix, Pix to router, etc. Leave the default route the way it is. You need to point your Web Browser to the inside interface of your firewall.
For IE Tools ==> Internet Options ==> Connections ==> Lan Settings ==> Proxy Server.

I would buy another router and create a lan segment out to the internet.

3640 ==> Pix ==> Internet router ==> circuit to ISP.

Then all you have to do is point your default route out to the PIX. And it would keep the auditors happy.

Dave

 

[TheStressFactor]

Hi Dave,

I am gonna try and implement that plan..but now I was gonna use the suggestion about the web browser...however when i put in the proxy address of the internal interface of the pix it still does not work...it says it could not open the web page...any suggestions?

Patrick

 

[dnels]

Patrick,

Not 100% sure how to set it up using a proxy. Anyone out there help? My only other thought is to use policy routing on the serial interfaces coming from your remote sites to the 3640. I would implement this off hours and do a lot of testing. This may also force the router to use process-switching and add latency through the router. You need to check policy routing with a default next-hop on your version of IOS.

access-list 1 permit ip 192.168.0.0 0.0.255.255
!
int Serial3/0.100
ip policy route-map internet
!
int Serial3/0.102
ip policy route-map internet
!
route-map internet permit 10
match ip address 1
set ip default next-hop 192.168.3.1

Dave

 

[TheStressFactor]

Dave thanks buddy..Ill try thsi tonight...i really appreciate all your guidance on this

 

[lui3]

I have almost the same setup as you have here. I have a CO hanging off the core router and firewall. The core router and 3620 terminates my wan on serial internface 0/1 and my internet on serial interface 0/0. I use the ethernet interface 0/0 for my internal private network for the CO 192.168.1.0/24. The other ethernet interface 0/1 is used for my outside public network. I assign a public ip address (routable) to my firewalls outside (internet interface). I assign another public routable ip address to my routers ethernet 0/1 address. this enables the router and firewall to communicate properly. Then i assign my private 192.168.1.0/24 CO (central office) network address 192.168.1.2 to the firewall. The router ethernet interface 0/0 (private) still on the same network as the firewall is assigned 192.168.1.1(this is the gateway for my private CO network). Here is where it gets tricky. In the router i have enabled policy routing. Inside the router the gateway of last resort is 0.0.0.0 0.0.0.0 192.168.1.2 which the private ip of the inside address of the firewall. Policy routing points all wan traffic coming from wan private subnets to this address. I call this policy something like PRIVATELAN. I then use access lists to filter the traffic and place correspond it to the appropriate map. Then when creating the policy i call the access list to apply to the specific traffic. then i apply the policies to the the appropriate interfaces on the wan that will see the traffic. TOINTERNET is another policy i use to route traffic that is natted from the firewall external ip address to the serial internet interface of my router. The configuration is fairly straight forward if you draw it out you just have to apply the access lists correctly. Essentially i have one big spider. With a local network hanging off the interface of the firewall.

CO traffic....goes from the 192.168.1.0 network to the router inside ethernet then to the firewall inside ether then to the outside firewall ether then back into the router then out the internet serial interface.


wan traffic....comes from the wan to the a serial interface into the router to the firewall inside address is natted then out the outside firewall address and then back out to the same router then out the internet.

i hope this helps. you can find all kinds of info on ciscos website regarding policy based routing.


Mike Louis
CCNA,CCDA,Net+,A+,AASP
michaellouis@hotmail.com