PIX 501 behind a Linksys WRT54G3G

**ps3cheats** · 25-Mar-2007, 10:40 PM

I'm trying to setup a PIX 501 behind a 3G Router (Linksys WRT54G3G) as follows:

| 217.174.88.nn (static IP)
-------------
| 3G Router |
-------------
| 192.168.10.1
|
| 192.168.10.2
-------------
| PIX 501 |
-------------
| 192.168.215.1
| Internal network
--------------------------------

The reason for using the PIX is that we want to setup a site-to-site VPN between our
192.168.215 network and a nother remote network.

The 3G router is configured to use VPN pass-trough and to forward
ports 1723, 4500 and 500 to 192.168.10.2.

I can't find any references if/how this can be done. Any advice or hint's
on how to configure the PIX for a setup like this would be great!

Thanks,
/Janne

PS. My current PIC setup follows. As far as we can see the tunnel is created,
but we can't ping the remote site...

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname torpa
domain-name torpa-vent.se
clock timezone CET 1
clock summer-time CET recurring 4 Sun Mar 2:00 4 Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit ip 192.168.215.0 255.255.255.0 host 172.32.100.20
access-list 101 permit ip 192.168.215.0 255.255.255.0 host 172.32.100.20
access-list 101 permit ip 192.168.215.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list 103 permit icmp any any echo-reply
pager lines 24
logging on
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 192.168.10.2 255.255.255.0
ip address inside 192.168.215.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 192.168.16.1-192.168.16.30
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 103 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.10.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 130.235.20.3 source outside
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set jsc esp-3des esp-sha-hmac
crypto map brand 10 ipsec-isakmp
crypto map brand 10 match address 100
crypto map brand 10 set peer 80.84.36.62
crypto map brand 10 set transform-set jsc
crypto map brand interface outside
isakmp enable outside
isakmp key ******** address 80.84.36.62 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 80.84.36.48 255.255.255.240 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client configuration dns 195.67.199.30 195.67.199.31
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username xxxx password *********
vpdn enable outside
dhcpd address 192.168.215.2-192.168.215.33 inside
dhcpd dns 217.174.65.61 217.174.65.62
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:9115b06c3f33692aed30c091b19dea63
: end

**ps3cheats** · 25-Mar-2007, 10:41 PM

Why not just replace the WRT54G with the PIX as the Internet gateway, and use the WRT54G as a pure wireless access point/bridge? Then you don't have to double-nat through the PIX, or forward anything through the Linksys.

>forward ports 1723, 4500 and 500 to 192.168.10.2.
You don't need 1723 for IPSEC.
Make sure 500 and 4500 are UDP and not TCP
Add this to the PIX:
isakmp nat-traversal 20

>access-list 100 permit ip 192.168.215.0 255.255.255.0 host 172.32.100.20
So you're only trying to access one single host on the other side of the VPN tunnel?
That side must be setup with a mirror image of the access-list (assuming it is also a Cisco end point)
access-list 100 permit ip host 172.32.100.20 192.168.215.0 255.255.255.0

**fiktr** · 15-Apr-2008, 04:23 AM

hi,

did you resolve you problem ?

I have the same issue. I plugged an asa5505 behind the WRT54G3G and i can connect the vpn but i can't access to any servers...
Where as it works well if i plugged the same asa5505 behind and ADSL router.

Thanks for you help

regards

Fiktr

25-Mar-2007, 10:40 PM	#1 (permalink)
ps3cheats Fixed Error! Posts: 1,497 Join Date: Mar 2007 Rep Power: 3 IM:	PIX 501 behind a Linksys WRT54G3G I'm trying to setup a PIX 501 behind a 3G Router (Linksys WRT54G3G) as follows: \| 217.174.88.nn (static IP) ------------- \| 3G Router \| ------------- \| 192.168.10.1 \| \| 192.168.10.2 ------------- \| PIX 501 \| ------------- \| 192.168.215.1 \| Internal network -------------------------------- The reason for using the PIX is that we want to setup a site-to-site VPN between our 192.168.215 network and a nother remote network. The 3G router is configured to use VPN pass-trough and to forward ports 1723, 4500 and 500 to 192.168.10.2. I can't find any references if/how this can be done. Any advice or hint's on how to configure the PIX for a setup like this would be great! Thanks, /Janne PS. My current PIC setup follows. As far as we can see the tunnel is created, but we can't ping the remote site... PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname torpa domain-name torpa-vent.se clock timezone CET 1 clock summer-time CET recurring 4 Sun Mar 2:00 4 Sun Oct 3:00 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 100 permit ip 192.168.215.0 255.255.255.0 host 172.32.100.20 access-list 101 permit ip 192.168.215.0 255.255.255.0 host 172.32.100.20 access-list 101 permit ip 192.168.215.0 255.255.255.0 192.168.16.0 255.255.255.0 access-list 103 permit icmp any any echo-reply pager lines 24 logging on icmp permit any inside mtu outside 1500 mtu inside 1500 ip address outside 192.168.10.2 255.255.255.0 ip address inside 192.168.215.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool pptp-pool 192.168.16.1-192.168.16.30 pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 101 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group 103 in interface outside route outside 0.0.0.0 0.0.0.0 192.168.10.1 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local ntp server 130.235.20.3 source outside http server enable no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp crypto ipsec transform-set jsc esp-3des esp-sha-hmac crypto map brand 10 ipsec-isakmp crypto map brand 10 match address 100 crypto map brand 10 set peer 80.84.36.62 crypto map brand 10 set transform-set jsc crypto map brand interface outside isakmp enable outside isakmp key ****** address 80.84.36.62 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 28800 telnet 0.0.0.0 0.0.0.0 inside telnet timeout 5 ssh 80.84.36.48 255.255.255.240 outside ssh 0.0.0.0 0.0.0.0 inside ssh timeout 5 console timeout 0 vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication pap vpdn group 1 ppp authentication chap vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe 40 vpdn group 1 client configuration address local pptp-pool vpdn group 1 client configuration dns 195.67.199.30 195.67.199.31 vpdn group 1 pptp echo 60 vpdn group 1 client authentication local vpdn username xxxx password ******* vpdn enable outside dhcpd address 192.168.215.2-192.168.215.33 inside dhcpd dns 217.174.65.61 217.174.65.62 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:9115b06c3f33692aed30c091b19dea63 : end

25-Mar-2007, 10:41 PM	#2 (permalink)
ps3cheats Fixed Error! Posts: 1,497 Join Date: Mar 2007 Rep Power: 3 IM:	Re: PIX 501 behind a Linksys WRT54G3G Why not just replace the WRT54G with the PIX as the Internet gateway, and use the WRT54G as a pure wireless access point/bridge? Then you don't have to double-nat through the PIX, or forward anything through the Linksys. >forward ports 1723, 4500 and 500 to 192.168.10.2. You don't need 1723 for IPSEC. Make sure 500 and 4500 are UDP and not TCP Add this to the PIX: isakmp nat-traversal 20 >access-list 100 permit ip 192.168.215.0 255.255.255.0 host 172.32.100.20 So you're only trying to access one single host on the other side of the VPN tunnel? That side must be setup with a mirror image of the access-list (assuming it is also a Cisco end point) access-list 100 permit ip host 172.32.100.20 192.168.215.0 255.255.255.0

15-Apr-2008, 04:23 AM	#3 (permalink)
fiktr Fix my Error! Posts: 1 Join Date: Apr 2008 Rep Power: 0 IM:	Re: PIX 501 behind a Linksys WRT54G3G hi, did you resolve you problem ? I have the same issue. I plugged an asa5505 behind the WRT54G3G and i can connect the vpn but i can't access to any servers... Where as it works well if i plugged the same asa5505 behind and ADSL router. Thanks for you help regards Fiktr

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)