topic Re: PIX 501 and Actiontec DSL in Network Security

PIX 501 and Actiontec DSL

as1207dc01 — Mon, 11 Mar 2019 11:46:56 GMT

Hi, hi, hi

I am new to Cisco product, the business I work for is small business and we use other cheaper netwok gears. By 2009 we are planning to move to a new building, by then IT will make a switch to Cisco products including VOIP. Just to get ready for 2009 network gear upgrade we have bought PIX 501 and catalyst 2950 to build our lab, routers will be coming soon. Here is my question, I found info on line and configured the PIX, I am able to get IP address from it (DHCP) but unable to go online. The DSL which is infront of the pix is a gateway but I am unable to set the gateway on the pix, unable to remove the http address + unable to log on using http, unable to delete/remove access list, ip local loop, and vpn group. For more info please the attached config. Hey, I don't mind starting from scratch, I tried it once but didn't remove all the config for some reaseon...I really do appreciate your help.

Thank you,

Re: PIX 501 and Actiontec DSL

JORGE RODRIGUEZ — Fri, 11 Jan 2008 22:03:23 GMT

Amenti, I have a question for you, is this a PIX that you received with previous owner configuration? and that you actually want to remove some of its configuration or don't mind to start from scratch, if so I would recommend to start from scratch, clean up the configuration of it.

You may do it in two ways

1- Set the firewall to factory-defaults settings .

PIX(config)#configure factor

PIX(config)#configure factory-default 10.10.10.1 255.255.255.0

the above example will instruct fw to reset to factory defualts with your inside interface IP address of 10.10.10.1/24

as well as create DHCP pool for your inside hosts on the 10.10.10.0/24 network , but if you do not want this you can simply do configure factory-default command by itself. I recommend this method.

2- erase its configuration

PIX(config)#write erase

then reload firewall with reload command.

once you have pix config clean the outside interface will be set for DHCP

to get outbound connectivity pix should have

these two statements

global (outside) 1interface

nat (inside) 1 0 0

to administer PIX from telnet and http

PIX(config)#http server enable

PIX(config)#http 0.0.0.0 0.0.0.0 inside

PIX(config)#telnet 0.0.0.0 0.0.0.0 inside

[edit} make sure you set the enable password on the pix.

PIX(config#enable password xxxx

where xxxx is the password chosen,

and save your configuration with write mem

Rgds

Jorge

Re: PIX 501 and Actiontec DSL

as1207dc01 — Mon, 14 Jan 2008 19:04:47 GMT

I took your instruction and went furthur than befire, how ever I got stuck at (global (outside) 1interface

nat (inside) 1 0 0 )config, would you please be a little specific how you set that up? I tried typing it on on the command interafe as it but did not work...Thank you for your help.

Re: PIX 501 and Actiontec DSL

JORGE RODRIGUEZ — Mon, 14 Jan 2008 19:13:45 GMT

Sure Amenti, if you could reply with what you have currently in you PIX configuration to see it we can help better.. if you did the factory default-settings method global nat and nat inside is default configuration of PIX from a factory default settings, so you do not need to configure it, if you did the write erase then you have to configure it. You may issue "show run " and post configuration here or you may issue show run and see if you already have it in the configuration.

Console to the PIX and go to enable mode and configue terminal

e.g

PIX>enable

PIX#config t

PIX(config)#global (outside) 1 interface

PIX(config)#nat (inside) 1 0.0.0.0 0.0.0.0

Rgds

Jorge

Re: PIX 501 and Actiontec DSL

as1207dc01 — Mon, 14 Jan 2008 20:28:25 GMT

You know what,I really do appreciate your help.

I attached the current config, I also have issue getting to the pix using the web. I enabled the http (IP address)but I am unable to get to it.

FYI: I also have Actiontec DSL with five static IP address, that might give you the picture how I am trying to config this pix...Thank you.

Re: PIX 501 and Actiontec DSL

JORGE RODRIGUEZ — Mon, 14 Jan 2008 20:53:50 GMT

Ok I see better, you have inside interface configured with 10.248.134.1 255.255.255.0, so far this is good as long your inside network is this subnet 10.248.134.0/24 , if this is correct is your PC connected to a switch or something that also have an Ip address on the same segment? e.g your PC could posibly have 10.248.134.100 as an example and the PC's default gateway should be the firewall's inside IP address 10.248.134.1 , if this is what you inside looks like you should be able to ping PIX inside interface if successfull then load the browser and issue https://10.248.134.1

you should be able to see a pop up authentication accept all certificates, once you get username and password just enter enable password you configured in PIX, leave user name blank. Get this part 1st to move onto the outside interface configurations and defualt route as well for outbound internet connectivity.

BTW, to show your appretiation in our help you can always use the rating system within the messaging window.

Rgds

Jorge

Re: PIX 501 and Actiontec DSL

as1207dc01 — Mon, 14 Jan 2008 22:23:12 GMT

Cool, I am able to browse the pix. However I am still unable to browse the internet. When I configured the DSL modem, I was told by Qwest support to configure PPOE, and that what I applied on the pix as well. I hate to bother you but your help seems to get me moving...Thanks.

Re: PIX 501 and Actiontec DSL

JORGE RODRIGUEZ — Mon, 14 Jan 2008 23:25:57 GMT

Sorry, I steped out and need to do it again but will come back.

Do this on commmand line , also you can do this through PDM.. bring up the interface outside , assuming you are using dynamic IP given from ISP provider, if static please let me know as you have to configure static ip on outside interface if static.If not static and Dynamic do this process.

pix>enable

config t

ip address outside dhcp retry 10

once you have enter this configuration do show interface to see if outside interface has obtained dynanic IP address, and write down the ip address, if you are successfull then you need to place a defaul route in pix.

e.g

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

where x.x.x.x is ISP router next hop address.

If you are using static then just as you configured an IP address for inside interface configure the outside interface with the Ip address the ISP gave you for your outside interface.

For your default route you need to know next hop router IP address which is your ISP router WAN interface, if you know that then your default route shoudl point to ISP router as example above.

route outside 0.0.0.0 0.0.0.0 ISP_Router 1

Let me know how it goes.

Rgds

Jorge

Re: PIX 501 and Actiontec DSL

as1207dc01 — Tue, 15 Jan 2008 16:01:08 GMT

Thank you for your extrimley great support, now I feel comfortable setting this firewall. Is this configuration process similar with other higher level cisco firewalls? My next project is to set VPN, but don't know where I can get the cisco vpn client to test it. ...Please check my config and let me know if I need to do comment/suggestion when you get a chance.... Thank you again,

Re: PIX 501 and Actiontec DSL

JORGE RODRIGUEZ — Tue, 15 Jan 2008 16:44:51 GMT

Amenti, thank you for the rating I realy appretiated , config looks fine, as far as seting Remote access VPN that is not problem, I would suggest though to start a new subjet thread in this same forum with how to setup Remote Access VPN on PIX 501 to keep it separate from this initial PIX implementation project, I or any netpro will provide help.

Rgds

Jorge