I have some experience with configuring routers but need help here. I have two routers on separate ip schemes and subnets. 192.168.1.x the other 172.20.10.x. I have a program on the 172 network that needs to be shared to the other. I'm looking for someone that I can show both configs to that might be able to help me configure the access list. I also need to have access in on the 172 scheme to xpunlimited.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Linking 2 Cisco 506e routers
- Thread starter stargonnc
- Start date
Supergrrover
IS-IT--Management
Here is the Cisco guide
It's pretty easy to follow. Just make a mirror of the mapping on the other pix. Alternatively, you could VPN across and that would probably be more beneficial.
Brent
Systems Engineer / Consultant
CCNP, CCSP
It's pretty easy to follow. Just make a mirror of the mapping on the other pix. Alternatively, you could VPN across and that would probably be more beneficial.
Brent
Systems Engineer / Consultant
CCNP, CCSP
- Thread starter
- #3
Supergrrover
IS-IT--Management
Go ahead and post them here.
Brent
Systems Engineer / Consultant
CCNP, CCSP
Brent
Systems Engineer / Consultant
CCNP, CCSP
- Thread starter
- #5
- Thread starter
- #6
Brent
I tried
TOS# show config\par
: Saved\par
: Written by enable_15 at 08:50:06.715 UTC Fri Oct 26 2007\par
PIX Version 6.3(1)\par
interface ethernet0 auto\par
interface ethernet1 auto\par
nameif ethernet0 outside security0\par
nameif ethernet1 inside security100\par
enable password wVolyRqUC55O9Zpf encrypted\par
passwd wVolyRqUC55O9Zpf encrypted\par
hostname TOS\par
domain-name seabrook.local\par
fixup protocol ftp 21\par
fixup protocol h323 h225 1720\par
fixup protocol h323 ras 1718-1719\par
fixup protocol http 80\par
fixup protocol ils 389\par
fixup protocol rsh 514\par
fixup protocol rtsp 554\par
fixup protocol sip 5060\par
fixup protocol sip udp 5060\par
fixup protocol skinny 2000\par
fixup protocol smtp 25\par
fixup protocol sqlnet 1521\par
names\par
access-list nat0 permit ip 172.20.10.0 255.255.255.0 172.20.11.0 255.255.255.0\par
access-list acl-out permit tcp any interface outside eq pcanywhere-data\par
access-list acl-out permit udp any interface outside eq pcanywhere-status\par
access-list acl-out permit tcp any host 66.31.77.245 eq pcanywhere-data\par
access-list acl_out permit udp any host 66.31.77.245 eq 5631\par
access-list acl_out permit tcp any host 66.31.77.245 eq pcanywhere-data\par
access-list acl_out permit udp any host 66.31.77.245 eq pcanywhere-status\par
access-list acl_out permit tcp any host 66.31.77.245 eq 3389\par
access-list acl_out permit udp any host 66.31.77.245 eq 3389\par
pager lines 24\par
mtu outside 1500\par
mtu inside 1500\par
ip address outside dhcp setroute\par
ip address inside 172.20.10.1 255.255.255.0\par
ip audit info action alarm\par
ip audit attack action alarm\par
ip local pool vpnpool 172.20.11.1-172.20.11.10\par
pdm history enable\par
arp timeout 14400\par
global (outside) 1 interface\par
nat (inside) 0 access-list nat0\par
nat (inside) 1 0.0.0.0 0.0.0.0 0 0\par
static (inside,outside) tcp interface pcanywhere-data 172.20.10.51 pcanywhere-da\par
ta netmask 255.255.255.255 0 0\par
static (inside,outside) udp interface pcanywhere-status 172.20.10.51 pcanywhere-\par
status netmask 255.255.255.255 0 0\par
access-group acl-out in interface outside\par
timeout xlate 3:00:00\par
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00\par
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00\par
timeout uauth 0:05:00 absolute\par
aaa-server TACACS+ protocol tacacs+\par
aaa-server RADIUS protocol radius\par
aaa-server LOCAL protocol local\par
no snmp-server location\par
no snmp-server contact\par
snmp-server community public\par
no snmp-server enable traps\par
floodguard enable\par
sysopt connection permit-ipsec\par
crypto ipsec transform-set vpn1 esp-des esp-md5-hmac\par
crypto dynamic-map dynmap 1 set transform-set vpn1\par
crypto map seabrook 1 ipsec-isakmp dynamic dynmap\par
crypto map seabrook interface outside\par
isakmp enable outside\par
isakmp nat-traversal 20\par
isakmp policy 1 authentication pre-share\par
isakmp policy 1 encryption des\par
isakmp policy 1 hash md5\par
isakmp policy 1 group 2\par
isakmp policy 1 lifetime 1000\par
vpngroup sclient address-pool vpnpool\par
vpngroup sclient split-tunnel nat0\par
vpngroup sclient idle-time 1000\par
vpngroup sclient password ********\par
telnet 172.20.10.0 255.255.255.0 inside\par
telnet timeout 5\par
ssh 24.61.165.168 255.255.255.248 outside\par
ssh timeout 5\par
console timeout 0\par
dhcpd auto_config outside\par
terminal width 80\par
Cryptochecksum:fcf9b7eef4b8322f485f22aca6d4a373\par
here's one config but the other I may have to email as a pdf.
Let me know
I tried
TOS# show config\par
: Saved\par
: Written by enable_15 at 08:50:06.715 UTC Fri Oct 26 2007\par
PIX Version 6.3(1)\par
interface ethernet0 auto\par
interface ethernet1 auto\par
nameif ethernet0 outside security0\par
nameif ethernet1 inside security100\par
enable password wVolyRqUC55O9Zpf encrypted\par
passwd wVolyRqUC55O9Zpf encrypted\par
hostname TOS\par
domain-name seabrook.local\par
fixup protocol ftp 21\par
fixup protocol h323 h225 1720\par
fixup protocol h323 ras 1718-1719\par
fixup protocol http 80\par
fixup protocol ils 389\par
fixup protocol rsh 514\par
fixup protocol rtsp 554\par
fixup protocol sip 5060\par
fixup protocol sip udp 5060\par
fixup protocol skinny 2000\par
fixup protocol smtp 25\par
fixup protocol sqlnet 1521\par
names\par
access-list nat0 permit ip 172.20.10.0 255.255.255.0 172.20.11.0 255.255.255.0\par
access-list acl-out permit tcp any interface outside eq pcanywhere-data\par
access-list acl-out permit udp any interface outside eq pcanywhere-status\par
access-list acl-out permit tcp any host 66.31.77.245 eq pcanywhere-data\par
access-list acl_out permit udp any host 66.31.77.245 eq 5631\par
access-list acl_out permit tcp any host 66.31.77.245 eq pcanywhere-data\par
access-list acl_out permit udp any host 66.31.77.245 eq pcanywhere-status\par
access-list acl_out permit tcp any host 66.31.77.245 eq 3389\par
access-list acl_out permit udp any host 66.31.77.245 eq 3389\par
pager lines 24\par
mtu outside 1500\par
mtu inside 1500\par
ip address outside dhcp setroute\par
ip address inside 172.20.10.1 255.255.255.0\par
ip audit info action alarm\par
ip audit attack action alarm\par
ip local pool vpnpool 172.20.11.1-172.20.11.10\par
pdm history enable\par
arp timeout 14400\par
global (outside) 1 interface\par
nat (inside) 0 access-list nat0\par
nat (inside) 1 0.0.0.0 0.0.0.0 0 0\par
static (inside,outside) tcp interface pcanywhere-data 172.20.10.51 pcanywhere-da\par
ta netmask 255.255.255.255 0 0\par
static (inside,outside) udp interface pcanywhere-status 172.20.10.51 pcanywhere-\par
status netmask 255.255.255.255 0 0\par
access-group acl-out in interface outside\par
timeout xlate 3:00:00\par
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00\par
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00\par
timeout uauth 0:05:00 absolute\par
aaa-server TACACS+ protocol tacacs+\par
aaa-server RADIUS protocol radius\par
aaa-server LOCAL protocol local\par
no snmp-server location\par
no snmp-server contact\par
snmp-server community public\par
no snmp-server enable traps\par
floodguard enable\par
sysopt connection permit-ipsec\par
crypto ipsec transform-set vpn1 esp-des esp-md5-hmac\par
crypto dynamic-map dynmap 1 set transform-set vpn1\par
crypto map seabrook 1 ipsec-isakmp dynamic dynmap\par
crypto map seabrook interface outside\par
isakmp enable outside\par
isakmp nat-traversal 20\par
isakmp policy 1 authentication pre-share\par
isakmp policy 1 encryption des\par
isakmp policy 1 hash md5\par
isakmp policy 1 group 2\par
isakmp policy 1 lifetime 1000\par
vpngroup sclient address-pool vpnpool\par
vpngroup sclient split-tunnel nat0\par
vpngroup sclient idle-time 1000\par
vpngroup sclient password ********\par
telnet 172.20.10.0 255.255.255.0 inside\par
telnet timeout 5\par
ssh 24.61.165.168 255.255.255.248 outside\par
ssh timeout 5\par
console timeout 0\par
dhcpd auto_config outside\par
terminal width 80\par
Cryptochecksum:fcf9b7eef4b8322f485f22aca6d4a373\par
here's one config but the other I may have to email as a pdf.
Let me know
Supergrrover
IS-IT--Management
OK, so what are you trying to accomplish. I would suggest a site-to-site VPN between the two sites. That will allow what ever app you want to run.
Clear out whatever changes you have made to your configs and repost both of them.
Brent
Systems Engineer / Consultant
CCNP, CCSP
Clear out whatever changes you have made to your configs and repost both of them.
Brent
Systems Engineer / Consultant
CCNP, CCSP
- Thread starter
- #8
The application that we are trying to run is a 3rd party clarion database running on pervasive sql that will not run properly through a vpn but works fine from a mapped drive.
We used to be able to connect from the 192.168.1.x network to the 172.20.10.x network with the current config that you see. The only change that occured is that the main server on the 172 side changed from 172.20.10.4 to 172.20.10.3. The other network has not chnaged at all so I wonder if all I have to do is change some addressing or access list to get them to talk again.
I changed all the entries on the 192 router to from 172.20.10.4 to 172.20.10.3 and then I got an ip address conflict on the primary network.
We used to be able to connect from the 192.168.1.x network to the 172.20.10.x network with the current config that you see. The only change that occured is that the main server on the 172 side changed from 172.20.10.4 to 172.20.10.3. The other network has not chnaged at all so I wonder if all I have to do is change some addressing or access list to get them to talk again.
I changed all the entries on the 192 router to from 172.20.10.4 to 172.20.10.3 and then I got an ip address conflict on the primary network.
- Status
Similar threads