Cisco 1750 to PIX 515 Routing question

Discussion in 'Cisco' started by displays, Jul 19, 2007.

  1. displays

    displays Guest

    I'm creating a Site to Site VPN Failover connection between a Cisco
    1750 Router and a PIX 515 Firewall. I have a question about routing.
    The 1750 will initiate the connection if the primary connection goes
    down. The packets obviously should route from LAN behind the 1750 to
    the LAN behind the PIX. But my question is, how will packets going
    from LAN behind the PIX know to got through the VPN connection instead
    of using the regular connection between the two networks? Is the route
    dynamically created when the Router connects to the PIX and added to
    the the current list of routes on the PIX? I've included both the
    Router and the PIX config.

    Thanks....

    1750 Router
    ------------------
    !
    version 11.2
    service password-encryption
    !
    hostname 1750Router
    !
    enable secret 5 xxxxxxxxxxxxxxxxxxxxxx
    enable password 7 xxxxxxxxxxxxx
    !
    no ip domain-lookup
    !
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    group 2
    hash sha
    lifetime 28800
    crypto isakmp key xyxyxyx address x.x.117.15
    !
    crypto ipsec transform-set pix-set esp-des esp-sha-hmac
    !
    crypto map pix 10 ipsec-isakmp
    set peer x.x.117.15
    set transform-set pix-set
    match address 110
    !
    !
    interface FastEthernet0
    description Local LAN
    ip address 10.3.1.1 255.255.255.0
    !
    interface Serial0
    description Frame-Relay to Main Office
    bandwidth 1544
    ip address 10.1.2.2 255.255.255.0
    !
    interface Ethernet0
    description DSL Connection
    ip address x.x.191.169 255.255.255.0
    ip access-group 100 in
    ip nat outside
    no shutdown
    no cdp enable
    bandwidth 768
    crypto map pix
    !
    router eigrp 1
    redistribute rip
    network 10.0.0.0
    !
    router rip
    redistribute eigrp 1
    network 10.0.0.0
    !
    ip nat pool local1 x.x.191.169 x.x.191.169 netmask 255.255.255.0
    ip nat inside source list 20 pool local1
    ip nat inside source route-map nonat pool branch overload
    no ip classless
    ip route 0.0.0.0 0.0.0.0 10.1.2.1 100
    ip route 0.0.0.0 0.0.0.0 x.x.191.1 250
    !
    access-list 100 permit esp any any
    access-list 100 permit ahp any any
    access-list 100 permit icmp any any
    access-list 100 permit tcp any any established
    access-list 100 permit udp any any eq isakmp
    aceess-list 100 permit udp any any eq netbios-ns
    access-list 100 permit udp any any eq netbios-dgm
    access-list 102 deny eigrp any any
    access-list 102 deny udp any any eq RIP
    access-list 102 permit ip any any
    access-list 110 permit ip 10.3.1.0 0.0.0.255 10.2.1.0 0.0.0.255
    access-list 130 deny ip 10.3.1.0 0.0.0.255 10.2.1.0 0.0.0.255
    access-list 130 permit ip 10.3.1.0 0.0.0.255 any
    !
    route-map nonat permit 10
    match ip address 130
    !
    line con 0
    exec-timeout 0 0
    line vty 0 4
    password 7 06020E2A435A08
    login
    !
    end

    PIX 515
    -----------

    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 6ZN2OmW5fLXsIQBK encrypted
    passwd N58TEyopO9S56DF5 encrypted
    hostname PIX515
    domain-name yyyyy.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 102 permit icmp any any
    access-list 102 permit tcp any host x.x.117.30 eq smtp
    access-list 102 permit tcp any host x.x.117.32 eq smtp
    access-list 102 permit tcp any host x.x.117.30 eq lotusnotes
    access-list 102 permit tcp any host x.x.117.32 eq lotusnotes
    access-list 102 permit tcp any host x.x.117.30 eq www
    access-list 102 permit tcp any host x.x.117.32 eq www
    access-list 102 permit tcp any host x.x.117.33 eq ftp
    access-list 102 permit tcp any host x.x.117.32 eq https
    access-list 102 permit tcp any host x.x.117.50 eq pcanywhere-data
    access-list 102 permit udp any host x.x.117.50 eq pcanywhere-status
    access-list 102 permit udp any host x.x.117.100 eq pcanywhere-status
    access-list 102 permit tcp any host x.x.117.100 eq pcanywhere-data
    access-list 102 permit tcp any host x.x.117.100 eq 1503
    access-list 102 permit tcp any host x.x.117.100 eq 522
    access-list 102 permit tcp any host x.x.117.100 eq h323
    access-list 101 permit ip 10.2.1.0 255.255.255.0 192.168.2.0
    255.255.255.0
    access-list 101 permit ip 10.3.1.0 255.255.255.0 192.168.2.0
    255.255.255.0
    access-list 110 permit ip 10.2.1.0 255.255.255.0 10.3.1.0
    255.255.255.0
    pager lines 24
    logging on
    logging buffered debugging
    mtu outside 1500
    mtu inside 1500
    ip address outside x.x.117.15 255.255.255.0
    ip address inside 10.2.1.5 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool bigpool 192.168.2.102-192.168.2.200
    pdm history enable
    arp timeout 14400
    global (outside) 1 x.x.117.102-x.x.117.200 netmask 255.255.255.0
    global (outside) 1 x.x.117.101 netmask 255.255.255.0
    nat (inside) 0 access-list 101
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) x.x.117.30 10.2.1.30 netmask 255.255.255.255 0
    0
    static (inside,outside) x.x.117.32 10.2.1.32 netmask 255.255.255.255 0
    0
    static (inside,outside) x.x.117.33 10.2.1.33 netmask 255.255.255.255 0
    0
    static (inside,outside) x.x.117.100 10.2.1.100 netmask 255.255.255.255
    0 0
    static (inside,outside) x.x.117.50 10.2.1.50 netmask 255.255.255.255 0
    0
    access-group 102 in interface outside
    route outside 0.0.0.0 0.0.0.0 x.x.117.1 1
    route inside 10.3.1.0 255.255.255.0 10.2.1.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server RADIUS (inside) host 10.2.1.33 cisco123 timeout 5
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    tftp-server inside 10.2.1.50 config.txt
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    crypto dynamic-map dynmap 30 set transform-set myset
    crypto map mymap 10 ipsec-isakmp
    crypto map mymap 10 match address 110
    crypto map mymap 10 set pfs group2
    crypto map mymap 10 set peer x.x.191.169
    crypto map mymap 10 set transform-set myset
    crypto map mymap 10 set security-association lifetime seconds 3600
    kilobytes 4608000
    crypto map mymap 30 ipsec-isakmp dynamic dynmap
    crypto map mymap client authentication RADIUS
    crypto map mymap interface outside
    isakmp enable outside
    isakmp key xyxyxyx address x.x.117.15 netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup mechvpn address-pool bigpool
    vpngroup mechvpn dns-server 10.2.1.20 10.3.1.20
    vpngroup mechvpn wins-server 10.2.1.20
    vpngroup mechvpn default-domain yyyyy.com
    vpngroup mechvpn split-tunnel 101
    vpngroup mechvpn idle-time 1800
    vpngroup mechvpn max-time 86400
    vpngroup mechvpn password zzzzzzzzz
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
     
    displays, Jul 19, 2007
    #1
    1. Advertisements

  2. displays

    Scott Perry Guest

    Try putting a "floating" static route on the router behind the PIX.

    Router(config)# ip route 10.1.1.0 255.255.255.0 FastEthernet0/1 10.1.0.1 200

    A floating static route has an administrative weight higher than the dynamic
    routing protocol. The dynamic routing protocol, such as EIGRP which has an
    administrative weight of 90, is the preferred method of determining the
    route to the destination network - 10.1.1.0/24 in this example. When the
    link drops, the advertisement of the network goes away, and the static route
    with an administrative weight of 200 is the next best choice.

    --

    ===========
    Scott Perry
    ===========
    Indianapolis, Indiana
    ________________________________________
     
    Scott Perry, Jul 25, 2007
    #2
    1. Advertisements

  3. displays

    Merv Guest

    IOS 11.2 on 1750 ??? - you might want to upgrade this to something a
    little more recent


    no ip classless <<<<<<<<<<<<<<<<<<<<<<<<<<<<<
    ip route 0.0.0.0 0.0.0.0 10.1.2.1 100
    ip route 0.0.0.0 0.0.0.0 x.x.191.1 250


    If you are going to try to reach network 10 behind PIX over DSL using
    default routing, then you need to enable "ip classless:


    BTW why is both EIGRP and RP being used ???
     
    Merv, Jul 25, 2007
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.