Announcement

Collapse
No announcement yet.

Help with cisco PIX and 2600 routers and private circuit

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Help with cisco PIX and 2600 routers and private circuit

    I am attaching a jpeg of the network architecture.
    when in the routers I can ping fine each side either MN or FLL.
    when I am in the PIXs I can ping each router interface IP fine either FLL or MN.
    but no host from FLL can ping any host of MN and viceversa.

    The routerss have eigrp and I believe they are working fine.

    each LAN has a gateway the corresponding PIX and I need the hosts in FLL to be able to talk to the hosts in MN and vicevesa through the private bonded T circuit between the 2 cisco 2600 routers.
    I have been playing with this for the last two days to no avail, if anybody cna help I will appreciate it.
    Attached Files
    Last edited by upcic; 9th September 2008, 21:08.

  • #2
    Re: Help with cisco PIX and 2600 routers and private circuit

    Do a trace route from a pc on FLL to a pc on MN and see where the packets go. Also, based on your picture it looks like the pc's, router, and firewalls on each network are connected to the same segment, so what keeps the pc's from going directly through the router instead of the firewall (except for the gateway address on each pc). What I'm saying is that traffic is not forced through your firewall and in fact external traffic can get directly to each LAN segment without being inspected by the firewall. I would recommend that the physical connections look like this:

    Router---> Firewall--->LAN Segment--->PC

    Comment


    • #3
      Re: Help with cisco PIX and 2600 routers and private circuit

      I see what you are saying, so:

      Router-------
      |
      |-------->LAN===>
      |
      Firewall------

      will not work uh ?

      Comment


      • #4
        Re: Help with cisco PIX and 2600 routers and private circuit

        It works as far as connectivity is concerned but the router is not protecting your network. The current configuration would allow connections from the outside to go through your router directly to your network. The firewall should be connected physically between your router and network so that all traffic coming in and going out has to go through the firewall.

        Comment


        • #5
          Re: Help with cisco PIX and 2600 routers and private circuit

          I am not concerned about the security of it right now, besides I can manage this from the pix itself. My issue right now is to udnerstand is why hosts from one LAN cannot ping hosts on the other LAN through the point to point between two locations.

          Comment


          • #6
            Re: Help with cisco PIX and 2600 routers and private circuit

            OK, but I would be concerned about security. As it is right now your PIX is not and acan not protect your network as traffic can reach your network without being forced through or inspected by the PIX. Anyway, run a trace route from one of the pc's on one network to one of the pc's on the other network and see where the packets go and post the results here.

            Comment


            • #7
              Re: Help with cisco PIX and 2600 routers and private circuit

              right, trace routes from hosts in the FLL LAN to the other one don't go anywhere they die right the way.

              For Example, I am on a HOST A with IP 10.20.20.21 and tracert 10.210.20.21 which is HOST C in the other LAN, nothing....
              I also try to tracert from 10.20.20.21 to the cisco 2600 fast ethernet 10.210.20.65 and nothing, but if I am inside the 2600 in FLL I can ping the 2600 MN just fine all interface the serial ones and the fast ethernet, I cannot though ping any host either.

              Comment


              • #8
                Re: Help with cisco PIX and 2600 routers and private circuit

                Try this on the Miami pix.

                route inside 10.210.20.0 255.255.255.224 10.20.20.8 1

                This on the NY pix.

                route inside 10.20.20.0 255.255.252.0 10.210.20.65 1

                EDIT: Can you post the output of (show ip route) also?
                Last edited by Daze; 10th September 2008, 16:04.
                CCNA, Network+

                Comment


                • #9
                  Re: Help with cisco PIX and 2600 routers and private circuit

                  yes, i did that yesterday in both pixes and still....

                  this is the show route from FLL (VISI is the named LAN in MN)
                  ========================================

                  UPcolo# sh route

                  Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
                  D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
                  N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
                  E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
                  i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
                  * - candidate default, U - per-user static route, o - ODR
                  P - periodic downloaded static route

                  Gateway of last resort is 204.2.245.161 to network 0.0.0.0

                  C 204.2.245.160 255.255.255.224 is directly connected, outside
                  C 10.20.20.0 255.255.252.0 is directly connected, inside
                  S HQVAULT 255.255.252.0 [1/0] via 10.100.20.1, metroe
                  C 10.50.20.0 255.255.255.0 is directly connected, dmz
                  S 10.25.0.103 255.255.255.255 [1/0] via 204.2.245.161, outside
                  S 10.25.0.102 255.255.255.255 [1/0] via 204.2.245.161, outside
                  S 10.25.0.101 255.255.255.255 [1/0] via 204.2.245.161, outside
                  S 10.25.0.100 255.255.255.255 [1/0] via 204.2.245.161, outside
                  S 10.25.0.105 255.255.255.255 [1/0] via 204.2.245.161, outside
                  C 10.100.20.0 255.255.255.0 is directly connected, metroe
                  S 10.25.0.104 255.255.255.255 [1/0] via 204.2.245.161, outside
                  S VISI 255.255.255.0 [1/0] via 10.20.20.8, inside
                  S* 0.0.0.0 0.0.0.0 [1/0] via 204.2.245.161, outside

                  below is the sh route for the MN pix
                  =============================
                  URAMNColo# sh route
                  outside 0.0.0.0 0.0.0.0 208.42.167.254 1 OTHER static
                  inside 10.20.20.0 255.255.252.0 10.210.20.65 1 OTHER static
                  inside 10.210.20.0 255.255.255.0 10.210.20.10 1 CONNECT static
                  dmz 10.250.20.0 255.255.255.0 10.250.20.10 1 CONNECT static
                  outside 208.42.167.224 255.255.255.224 208.42.167.225 1 CONNECT static

                  Comment


                  • #10
                    Re: Help with cisco PIX and 2600 routers and private circuit

                    Sorry, I meant from the 2600 routers. Cause you said that you can ping all interfaces from both routers but not the hosts.
                    CCNA, Network+

                    Comment


                    • #11
                      Re: Help with cisco PIX and 2600 routers and private circuit

                      no problem:
                      show ip route FLL
                      ================

                      1vaultP2P>show ip route
                      Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
                      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
                      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
                      E1 - OSPF external type 1, E2 - OSPF external type 2
                      i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
                      ia - IS-IS inter area, * - candidate default, U - per-user static route
                      o - ODR, P - periodic downloaded static route

                      Gateway of last resort is not set

                      10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
                      C 10.20.20.0/22 is directly connected, FastEthernet0/0
                      D 10.210.20.0/24 [90/2181120] via 10.200.20.2, 01:53:23, Serial0/0
                      [90/2181120] via 10.200.20.6, 01:53:23, Serial0/1
                      C 10.200.20.4/30 is directly connected, Serial0/1
                      C 10.200.20.0/30 is directly connected, Serial0/0

                      ======================

                      show ip route MN
                      =============
                      Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
                      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
                      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
                      E1 - OSPF external type 1, E2 - OSPF external type 2
                      i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
                      ia - IS-IS inter area, * - candidate default, U - per-user static route
                      o - ODR, P - periodic downloaded static route

                      Gateway of last resort is not set

                      10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
                      D 10.20.20.0/22 [90/2181120] via 10.200.20.1, 01:54:20, Serial0/0
                      [90/2181120] via 10.200.20.5, 01:54:20, Serial0/1
                      C 10.210.20.0/24 is directly connected, FastEthernet0/1
                      C 10.200.20.4/30 is directly connected, Serial0/1
                      C 10.200.20.0/30 is directly connected, Serial0/0

                      Comment


                      • #12
                        Re: Help with cisco PIX and 2600 routers and private circuit

                        also, this is the pings from MN router.
                        ping the MN fa interface fine, ping the local server fine, ping the fa interface in FLL fine
                        fails to ping server in FLL

                        visip2p>ping 10.210.20.65

                        Type escape sequence to abort.
                        Sending 5, 100-byte ICMP Echos to 10.210.20.65, timeout is 2 seconds:
                        !!!!!
                        Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
                        visip2p>ping 10.210.20.21

                        Type escape sequence to abort.
                        Sending 5, 100-byte ICMP Echos to 10.210.20.21, timeout is 2 seconds:
                        !!!!!
                        Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
                        visip2p>ping 10.20.20.8

                        Type escape sequence to abort.
                        Sending 5, 100-byte ICMP Echos to 10.20.20.8, timeout is 2 seconds:
                        !!!!!
                        Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms
                        visip2p>ping 10.20.20.21

                        Type escape sequence to abort.
                        Sending 5, 100-byte ICMP Echos to 10.20.20.21, timeout is 2 seconds:
                        .....
                        Success rate is 0 percent (0/5)


                        something similar happens from FLL router

                        Comment


                        • #13
                          Re: Help with cisco PIX and 2600 routers and private circuit

                          Ok this is what I have come up with.

                          Change the MN router FA0/1 ip address to 10.210.20.8(or similar) because it is on a different subnet than the pix and hosts.

                          NY Pix should have:
                          route inside 10.20.20.0 255.255.252.0 10.210.20.8 1
                          route inside 10.200.20.0 255.255.255.224 10.210.20.8 1


                          Miami Pix should have:
                          route inside 10.210.20.0 255.255.255.0 10.20.20.8 1
                          route inside 10.200.20.0 255.255.255.224 10.20.20.8 1


                          So give that a try. If it still does not work, then eigrp is not configure correctly.

                          I wiped this up in dynamips so if you want my configs let me know.
                          CCNA, Network+

                          Comment


                          • #14
                            Re: Help with cisco PIX and 2600 routers and private circuit

                            I really appreciate what you are trying to help !!
                            I implemented your sugegstion and no dice. below is the FLL router config;

                            ==============================

                            1vaultP2P#sh ru
                            Building configuration...

                            Current configuration : 2476 bytes
                            !
                            version 12.3
                            service nagle
                            no service pad
                            service tcp-keepalives-in
                            service timestamps debug datetime msec localtime
                            service timestamps log datetime localtime
                            no service password-encryption
                            no service dhcp
                            !
                            hostname 1vaultP2P
                            !
                            boot-start-marker
                            boot-end-marker
                            !
                            no logging rate-limit
                            no logging console
                            enable secret 5 $1$z65M$rMqPGlDMjPzr3siq5BmgR0
                            !
                            clock timezone EST -5
                            clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
                            no network-clock-participate slot 1
                            no network-clock-participate wic 0
                            no aaa new-model
                            ip subnet-zero
                            no ip source-route
                            ip cef
                            !
                            !
                            no ip ftp passive
                            no ip domain lookup
                            !
                            no ip bootp server
                            !
                            !
                            !
                            !
                            interface FastEthernet0/0
                            ip address 10.20.20.8 255.255.252.0
                            duplex auto
                            speed auto
                            !
                            interface Serial0/0
                            ip address 10.200.20.1 255.255.255.252
                            service-module t1 timeslots 1-24
                            !
                            interface FastEthernet0/1
                            no ip address
                            shutdown
                            duplex auto
                            speed auto
                            !
                            interface Serial0/1
                            ip address 10.200.20.5 255.255.255.252
                            no fair-queue
                            service-module t1 timeslots 1-24
                            !
                            router eigrp 200
                            network 10.20.20.8 0.0.0.0
                            network 10.200.20.1 0.0.0.0
                            network 10.200.20.5 0.0.0.0
                            network 10.210.20.0 0.0.0.255
                            no auto-summary
                            !
                            no ip http server
                            ip classless
                            !
                            !
                            snmp-server community public RO
                            banner login ^C
                            ################################################## ########################
                            # #
                            # *** AUTHORIZED USERS ONLY *** #
                            # #
                            # This is a private network. #
                            # The unauthorized access, use or modification of this device, #
                            # network, the data contained herein, or in transit to and from #
                            # is a violation of federal, state, and local laws. #
                            # You must have explicit permission to configure the device or #
                            # or access the network. All activities on this device are #
                            # logged and the network is monitored. Persons violating the #
                            # system shall be prosecuted to the fullest extent permitted #
                            # by law. #
                            # #
                            ################################################## ########################^C
                            !
                            line con 0
                            line aux 0
                            line vty 0 4
                            password ******
                            login
                            !
                            scheduler allocate 4000 1000
                            !
                            end

                            1vaultP2P#

                            Comment


                            • #15
                              Re: Help with cisco PIX and 2600 routers and private circuit

                              Ok, your show run is different than your attached image. I am attaching my configs from dynamips. Have a look, I have full connectivity between both pix's.
                              Attached Files
                              CCNA, Network+

                              Comment

                              Working...
                              X