Re: Pix worked in Lab not in the field?

Discussion in 'Cisco' started by Aaron Woody, Oct 20, 2003.

  1. Aaron Woody

    Aaron Woody Guest

    Some basic questions first...

    1. Do you have link, do interfaces on both sides show up/up?
    2. Are you source pinging from PIX outside interface? ex. ping outside
    xxx.199.145.1
    3. If ping from inside, do you have RIP routes for 172.20.9.X network
    on the 2520 router?
    4. Also, a great book to read is the CCSP self-study book "CCSP Cisco
    Secure PIX Firewall Advanced" - Ciscopress

    Aaron


    "anonymous" <> wrote in message news:<F1ngb.17594$k74.13365@lakeread05>...
    > Folks,
    > I'm familiar with IOS, just not PIX... yet, and really want to learn. I
    > setup the following configs in my lab and they worked great, so I re-ip'd
    > one and left it at work. I brought the other one home and stole the IP from
    > my router here. Now they can't see each other. There may be some routing
    > issues. Can anyone point me in the right direction?
    >
    > Second, what are some good books I can learn to pick this up faster...I have
    > absolutely no one I can ask for a leg up.
    >
    > Does the 2520's gateway of last resort need to be pointed at the PIX at
    > XXX.199.145.3?
    >
    > At work I have a 2520 on the "outside" (XXX.43.154.166);
    > 2520's inside interface (XXX.199.145.1) is connected to the 501 PIX's
    > "outside" interface (XXX.199.145.3)
    > Yes, w/ an x-over cable;
    > PIX "inside" is plugged into the LAN.
    > All from Cisco's Firewall Design guide.
    >
    > Configs are:
    >
    > ***2520***
    >
    > version 12.1
    > no service single-slot-reload-enable
    > service timestamps debug datetime localtime
    > service timestamps log datetime localtime
    > service password-encryption
    > !
    > hostname
    > !
    > logging buffered warnings
    > aaa new-model
    > aaa authentication login default local
    > enable secret 5 xxxxxxxxxxxxxxxxxxxx
    > enable password 7 xxxxxxxxxxxxxx
    > !
    > username xxxx password 7 xxxxxxxxxxxxxxxx
    > !
    > !
    > ip subnet-zero
    > no ip source-route
    > no ip domain-lookup
    > ip name-server xxx.xxx.xxx.xxx
    > !
    > no ip bootp server
    > !
    > !
    > !
    > !
    > !
    > interface Ethernet0
    > ip address xxx.199.145.1 255.255.255.0
    > ip nat inside
    > no cdp enable
    > !
    > interface Serial0
    > no ip address
    > encapsulation frame-relay IETF
    > no ip mroute-cache
    > logging event subif-link-status
    > logging event dlci-status-change
    > no fair-queue
    > frame-relay lmi-type ansi
    > !
    > interface Serial0.1 point-to-point
    > ip address XXX.43.154.166 255.255.255.252
    > ip nat outside
    > no cdp enable
    > frame-relay interface-dlci XXX
    > !
    > interface Serial1
    > no ip address
    > shutdown
    > no cdp enable
    > !
    > interface Serial2
    > no ip address
    > shutdown
    > no cdp enable
    > !
    > interface Serial3
    > no ip address
    > shutdown
    > no cdp enable
    > !
    > interface BRI0
    > no ip address
    > shutdown
    > no cdp enable
    > !
    > router rip
    > passive-interface Serial0
    > passive-interface Serial0.1
    > network XX.0.0.0
    > network XXX.199.145.0
    > neighbor XXX.199.145.3 (Trying different things here)
    > no auto-summary
    > !
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Serial0.1
    > no ip http server
    > !
    > !
    > ip access-list extended test
    > ip access-list extended wan_in
    >
    > Access List has been snipped
    > I removed the Access-group command for diagnostics
    >
    >
    > ip access-list extended wan_out
    >
    > Access List has been snipped
    > I removed the Access-group command for diagnostics
    >
    > logging trap notifications
    > logging facility local0
    > logging source-interface Ethernet0
    > logging 172.20.9.37
    > no cdp run
    > snmp-server community password RO
    > snmp-server community password RW
    > snmp-server trap-source Ethernet0
    > snmp-server chassis-id inet1
    > snmp-server enable traps snmp
    > snmp-server enable traps config
    > snmp-server enable traps frame-relay
    > snmp-server host 175.20.9.36 password
    > !
    > line con 0
    > password 7 XXXXXXXXX
    > line aux 0
    > line vty 0 4
    > password 7 XXXXXXXXX
    > !
    > ntp clock-period 17179911
    > ntp server 129.6.15.28
    > end
    >
    >
    >
    > ***Work 501 PIX***
    >
    > :
    > PIX Version 6.3(1)
    > interface ethernet0 auto
    > interface ethernet1 100full
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password password encrypted
    > passwd password encrypted
    > hostname hq
    > domain-name cutout.com
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol ils 389
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > names
    > name 172.20.9.0 HQ_subnet
    > name XXX.199.145.1 INET1_Router
    > access-list inside_outbound_nat0_acl permit ip any any [Way too
    > many but I was trying everything]
    > access-list outside_cryptomap_20 permit ip any any
    > access-list 102 permit icmp any any log
    > access-list 102 permit udp 172.20.0.0 255.255.0.0 eq ntp host INET1_Router
    > eq ntp
    > access-list 102 permit ip 172.20.0.0 255.255.0.0 any
    > access-list 102 permit tcp 172.20.0.0 255.255.0.0 any
    > access-list 101 permit icmp any any log
    > access-list 101 permit ip any any log
    > access-list 101 permit icmp any any echo-reply
    > access-list 101 permit tcp any any
    > pager lines 24
    > logging on
    > logging timestamp
    > logging console informational
    > logging buffered debugging
    > logging trap informational
    > logging queue 0
    > logging host inside 172.20.9.36
    > icmp permit any outside
    > icmp permit XXX.199.145.0 255.255.255.0 echo outside
    > icmp permit any inside
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside XXX.199.145.3 255.255.255.0
    > ip address inside 172.20.9.3 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > pdm location 172.20.9.36 255.255.255.255 inside
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > nat (inside) 0 access-list inside_outbound_nat0_acl
    > nat (inside) 0 0.0.0.0 0.0.0.0 0 0
    > access-group 101 in interface outside
    > access-group 102 in interface inside
    > rip outside default version 2
    > rip inside default version 2
    > route outside 0.0.0.0 0.0.0.0 INET1_Router 1
    > route outside 68.10.144.0 255.255.252.0 68.10.144.1 1 (trying to route to
    > home)
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > ntp server INET1_Router source outside prefer
    > ntp server 129.6.15.29 source outside
    > ntp server 129.6.15.28 source outside
    > http server enable
    > http 0.0.0.0 0.0.0.0 outside
    > http HQ_subnet 255.255.255.0 inside
    > snmp-server host inside 172.20.9.36
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    > crypto map outside_map 20 ipsec-isakmp
    > crypto map outside_map 20 match address outside_cryptomap_20
    > crypto map outside_map 20 set peer XX.10.147.54
    > crypto map outside_map 20 set transform-set ESP-3DES-MD5
    > crypto map outside_map interface outside
    > isakmp enable outside
    > isakmp key ******** address XX.10.147.54 netmask 255.255.255.255 no-xauth
    > no-config-mode
    > isakmp policy 20 authentication pre-share
    > isakmp policy 20 encryption 3des
    > isakmp policy 20 hash md5
    > isakmp policy 20 group 2
    > isakmp policy 20 lifetime 86400
    > telnet HQ_subnet 255.255.255.0 inside
    > telnet timeout 5
    > ssh timeout 5
    > management-access inside
    > console timeout 0
    > terminal width 80
    > Cryptochecksum:310c5e9c08be63f520f28c99ab7bb23c
    > : end
    >
    >
    > ***Home 501 PIX***
    >
    > PIX Version 6.3(1)
    > interface ethernet0 auto
    > interface ethernet1 100full
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password passwordencrypted
    > passwd password encrypted
    > hostname remote
    > domain-name cutout.com
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol ils 389
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > names
    > name XXX.199.145.0 HQ_VPN
    > access-list inside_outbound_nat0_acl permit ip any any
    > access-list inside_outbound_nat0_acl permit icmp any any
    > access-list outside_cryptomap_20 permit ip any any
    > pager lines 24
    > logging on
    > logging console informational
    > logging buffered informational
    > icmp permit any outside
    > icmp permit any inside
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside 68.10.147.54 255.255.252.0
    > ip address inside 192.168.2.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > pdm location HQ_VPN 255.255.255.0 outside
    > pdm location 172.20.9.0 255.255.255.0 outside
    > pdm location XXX.XXX.154.164 255.255.255.252 outside
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > nat (inside) 0 access-list inside_outbound_nat0_acl
    > nat (inside) 0 0.0.0.0 0.0.0.0 0 0
    > rip outside default version 2 authentication md5 milcom 1
    > route outside 0.0.0.0 0.0.0.0 66.43.154.166 2
    > route outside XXX.XXX.154.164 255.255.255.252 68.10.144.1 1
    > route outside 172.20.9.0 255.255.255.0 198.199.145.3 1
    > route outside HQ_VPN 255.255.255.0 XXX.XXX.154.166 2
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > http server enable
    > http 192.168.2.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > service resetoutside
    > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    > crypto map outside_map 20 ipsec-isakmp
    > crypto map outside_map 20 match address outside_cryptomap_20
    > crypto map outside_map 20 set peer 198.199.145.3
    > crypto map outside_map 20 set transform-set ESP-3DES-MD5
    > crypto map outside_map interface outside
    > isakmp enable outside
    > isakmp key ******** address XXX.199.145.3 netmask 255.255.255.255 no-xauth
    > no-co
    > nfig-mode
    > isakmp policy 20 authentication pre-share
    > isakmp policy 20 encryption 3des
    > isakmp policy 20 hash md5
    > isakmp policy 20 group 2
    > isakmp policy 20 lifetime 86400
    > telnet 192.168.2.0 255.255.255.0 inside
    > telnet timeout 5
    > ssh timeout 5
    > console timeout 0
    > terminal width 80
    > Cryptochecksum:86b155d05e625e83a5fe2888fe07c186
    > : end
     
    Aaron Woody, Oct 20, 2003
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. www.networking-forum.com

    Lab Challenge 8 - OSPF lab 2

    www.networking-forum.com, Nov 3, 2005, in forum: Cisco
    Replies:
    0
    Views:
    4,523
    www.networking-forum.com
    Nov 3, 2005
  2. Mary

    I can not belive it worked.

    Mary, Jun 17, 2004, in forum: Computer Support
    Replies:
    0
    Views:
    430
  3. joewo
    Replies:
    0
    Views:
    715
    joewo
    Feb 7, 2007
  4. VertiTech

    Games worked before, why not now?

    VertiTech, Jan 17, 2008, in forum: Windows 64bit
    Replies:
    5
    Views:
    439
    Carlos
    Jan 18, 2008
  5. Replies:
    1
    Views:
    686
Loading...

Share This Page