Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

two firewalls?

Status
Not open for further replies.
jbenh

jbenh

IS-IT--Management
Dec 2, 2002
21
0
0
US
We have a Watchguard firewall as our coporate unit, but one of our software vendors will not work with anything but Cisco. I am trying to setup a PIX 501 as a vpn gateway for this supplier. I am having problems with getting the PIX to work on our network. I have setup a pc with the PIX as its default gateway in order to test the setup.

Having followed the PDM Startup Wizard, this is my config.

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password JyPYZb3TaIHQwJur encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname svpn
domain-name changed.com
access-list inside_access_in permit icmp any any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 13.105.76.195 255.255.255.248
ip address inside 11.63.255.249 255.255.240.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 13.105.76.193 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 11.63.240.0 255.255.240.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:3e2099bf6e6e446dc934ec34d297ef57
: end
***
I removed the fixup lines here to save space and we do not need dhcp.

The client pc can not ping (request timed out) apple.com, but I can ping apple and both interfaces of the PIX from my pc.

I'm lost, is there something simple I'm missing on the PIX or is it two firewalls on the same network 11.63.240.0/20 (My Watchguard is 11.63.255.252) or something else?

Ben
 
Sort by date Sort by votes
Ben,

A few pointers...

Firstly, when posting a config on these forums, it is advisable to remove the encrypted strings for passwords and the cryptochecksum as it may be possible to reconstitute the cleartext passwords from these. The same goes for your real IP addresses - it's just safer to keep this info private.

Secondly, you need to add a whole VPN connection to this PIX config. See the following link for information on setting up a simple VPN:
You will need to ensure that the pix at the other end of the VPN has a similar config as well - I recommend speaking with the IT administrator of your vendor and getting a copy (sanitised of course!) of their PIX information.

Another useful pointer is to look in this forum for any posting by Yizhar and follow the link in his signature to his site - you can download a tool called PIXCRIPT from there which will help create a sample PIX configuration.

Hope this helps,

HoinviP
 
Upvote 0 Downvote
HoinviP,

My first step is to get the PIX to route traffic from the inside to the outside. So I didn't include the VPN part.

I suppose you could try to decrypt my password, but if I have changed it and my ip addresses then what's the point. I just think its easier to read 11.63.240.0/20 than xxx.xxx.xxx.xxx/xx. I do understand the security issue.

We're not connecting PIX to PIX, they are going to use the easy vpn client.

I did download Yizhar's config program, but that didn't work either, hence I posted an entire config so that people could see for it.

Ben
 
Upvote 0 Downvote
Update,

The above config is working for all but ping. Once I get that working I'll start on VPN.

Ben
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Spork52
  • Locked
  • Question
Is this secure? Serving content from two servers with SSL
Replies
3
Views
51
ChrisHirst
ChrisHirst
HopnDude
  • Locked
  • Question
Two Firewalls on 1 VM running 2 VE with 2-2 Port Gigabit NIC's. Doable?
Replies
1
Views
32
nblount
nblount
basball
  • Locked
  • Question
How to connect between two different subnets on the same router?
Replies
0
Views
52
basball
basball
basball
  • Locked
  • Question
Can you lag two dmz ports on a tz205?
Replies
2
Views
37
basball
basball
cormon
  • Locked
  • Question
Two IPsec tunnels and hairpin between them
Replies
1
Views
33
baddos
baddos

Part and Inventory Search

Sponsor

Back
Top