-
July 18th, 2003, 01:04 AM
#1
Junior Member
Cisco PIX point to point T1 configuration
Hey, what's up? First I'd like to introduce myself. My name is Chris and yes I'm a noob. I was hoping someone here could help me out. We are currently trying to configure our PIX in Texas to our PIX in NY through a point to point T1 line. I personally don't have ANY experience with Cisco but the guys at work do. It seems that they cannot get it to communicate. I know this is not much detail but any help would be appreciated. I tried finding information on Cisco's site but was unsuccessful. If anyone here has done this before, I would love to hear how you set it up. Thanks alot!!! I appreciate the help in advance!!
I'm sure more information will be needed so just tell me what you need to know and I'll get on top of it.
Thanks
Chris
-
July 18th, 2003, 02:59 AM
#2
Point to Point T1's are a pretty simple thing. Could you post a sample config? In my experience 90% of the time when a P to P T1 doesn't come up right away, it's something with the telco. Check the line cards at the DMARC to see if there are any alarm lights. If both ends look good and you can give a little info about the circuit I'd be happy to step you through it.
-
July 18th, 2003, 03:08 AM
#3
I have configured several of these, I would need more information to help. Have you verified the T1 is up from end to end. What type of T1 do you have? Do you have connectivity between both ends without the PIXes? Are the T1's connected to a public network?
Work... Some days it's just not worth chewing through the restraints...
-
July 18th, 2003, 01:43 PM
#4
Ok.... To start with I will assume that the T1 is good. That, of course is a huge assumption on a new install of a T1. I have some 10-15 point to point T1's in my WAN and only about 4 have ever been properly installed and provisioned by SBC.....
The quick way to make a decision is to get into the router in privileged mode and type sh int ser X where X is the number of the serial interface. You should see a "SerialX is up. Line Protocol is up". This is good. If either is down then you need to start looking at the CSU/DSU or WICT1 card configuration. All my T1's are set in the following way:-
Frame: ESF
Encoding: B8ZS
Timing: Network
Timeslots: 6 or all depending on whether it is a fractional, (386kbps), or full T1.
Your Telco should be using ESF/B8ZS. If they aren't I would ask them to since it is the most efficient. The other options would be SF/AMI which are no longer the standard.
Once you are provisioned correctlyat both ends to match the Telco's settings you should see "SerialX up. Line Protocol up." when you do a sh int X.
If this is what you see then return to conf mode, (conf T) and issue the following commands on the first router
int ser X
ip address 192.168.1.1 255.255.255.252
exit
int fasteth X
ip address xxx.xxx.xxx.xxx 255.255.255.0 (an address on the local network)
exit
exit
wri m
On the other router execute the same commands but give the serial interface the address 192.168.1.2 255.255.255.252. When that is done ping 192.168.1.X where X is the address of the remote router and you should see 5 successes indicated by "!"
If you cannot get "SerialX up. Line Protocol up" then check your cables and config to ensure that you are properly set up. Then call the Telco. Do _not_ let them tell you that the problem is with your equipment, (trust me... they will). One of their biggest mistakes is badly trained techs....... <sigh> A T1 usually has a minimum of 4 points where the tech can connect to to test the line, (the smartjacks, and 2 places in the central office. I suspect yours will have more). The biggest mistake they make is to enter at test point A and test towards the A end. They loop the CSU/DSU and tell you it is good. They unloop and point the other way and loop the CSU/DSU at the Z end and tell you it is good..... Then they tell you it is your problem and hang up the phone...... The Dumbass doesn't know that while he can connect to the test point and test successfully in both directions nothing, but nothing, will pass through the equipment he is testing from, 'cos it's broken. When he finishes testing the A end from the most distant test point he should disconnect from it and move to the furthest test point from Z and test Z from there.... but they don't...... You can pull your hair out for weeks if you are not careful with this one.
Good luck, and if the problem seems to be with the Telco keep us up to date..... I have a lot of experience arguing with them.......<s>
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
July 18th, 2003, 04:01 PM
#5
Member
In reading the posts, I did not see where the user listed that he had any routers. I have user both the PIX 525 and 515 and both require a router since the PIX is unable to do any routing. I will assume that the physical description is something like this:
<internal network>
|
|
<PIX firewall>
|
|
<ROUTER>
|
<T1>
|
<ROUTER>
|
|
<PIX firewall>
|
|
<internal network>
Questions Posed:
1. What are the routers? Are they Cisco?
2. Are there any errors in the routers? When checking the outside interfaces of the routers, are they up?
Do you have a service agreement with Cisco on these devices? If so, you can call Cisco TAC. If not and the equipment was purchased less than 90 days, you can still call TAC.
-
July 18th, 2003, 04:48 PM
#6
I'm still trying to figure out why you need a pix at both ends of a point to point connection.
-
July 18th, 2003, 04:54 PM
#7
Originally posted here by thread_killer
I'm still trying to figure out why you need a pix at both ends of a point to point connection.
This, of course, is possibly why they are not able to make it work. The assumption has been that the WAN is configured in the way Infiltrator described. OTOH, if they are trying to use the PIX's as routers they are probably going to get a bit of a shock.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
July 18th, 2003, 07:07 PM
#8
Member
Indeed, if this is a point to point T-1, I am not sure why there is a PIX on both sides. FOr the truely paranoid, I can see some use of a PIX on one of the end points. We are going on very limited info about thier network infrastructure so what we think is really just vapor. I suspect that there may not be any routers in place and they tried to connect to PIX firewalls directly to the T-1. This will not work since the PIX cannot act as a router. We can help this user more if he can answer the questions we have posed so far.
-
July 18th, 2003, 07:17 PM
#9
Inf: Methinks that the original author probably RTFM after he posted and is in the process of ordering a pair of routers, (and maybe returning the PIX's), and is not speaking to us any more for fear of embarrasment. After all, it's 18 hours since he posted and he is subscribed.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
July 18th, 2003, 07:24 PM
#10
Member
That may be the case. It was his first post. He may be really new to this and he may feel that he will get flamed if he continues to post. I personaly won't flame him since he asked a good question. He did not give us enough info to really help but I think you are right. No routers....
It happenes....
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|