Re: Help Configuring a DSL conection via Pix Firewall e515

mambito20 · ‎07-03-2010

Can someone guide me on this i'm fairly new on this. i need to configure a Cisco Pix Firewall e515 to connect out to the internet via DSL. Basic Nat and DHCP, basic routing. here is my configuration. Please help me understanding how to configure this properly.

PIX Version 8.0(2)
!
hostname voyze
domain-name voyze.com
enable password mW6ETJKBd.1a9jjj encrypted
names
!
interface Ethernet0
nameif AT&T
security-level 0
ip address 74.164.6.10 255.255.255.248
ospf cost 10
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name voyze.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_2
service-object tcp eq ftp
service-object udp eq tftp
object-group service DM_INLINE_SERVICE_1
service-object tcp eq ftp
service-object udp eq tftp
access-list inside_access_in extended permit tcp any 68.164.6.8 255.255.255.248 object-group DM_INLINE_TCP_1
access-list AT&T_access_in extended permit tcp any any object-group DM_INLINE_TCP_3
access-list AT&T_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list inside_access_in_1 extended permit tcp any any object-group DM_INLINE_TCP_2
access-list inside_access_in_1 extended permit object-group DM_INLINE_SERVICE_2 any any
access-list inside_nat0_outbound extended permit ip 74.164.6.8 255.255.255.248 any
pager lines 24
logging enable
logging asdm informational
mtu AT&T 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (AT&T) 101 192.168.1.1-192.168.1.200 netmask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 74.164.6.8 255.255.255.248
access-group AT&T_access_in in interface AT&T per-user-override
access-group inside_access_in_1 in interface inside per-user-override
route AT&T 0.0.0.0 0.0.0.0 74.164.6.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 68.94.157.1 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
   inspect dns preset_dns_map
inspect ftp
inspect h323 h225
   inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
   inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:51ef296083714caa6c753b0867bcf405
: end

Marcin Latosiewicz · ‎07-03-2010

Alex,

Here's the configuration guide:

https://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/conf_gd.html

It's for ASA but most configuration is same for PIX 8.0

Note that PIXes and ASAs have only Ethernet (RJ-45 or SFP) connectors. Typically your DSL SP will provide you a RJ-11. You can however do PPPoE on ASA/PIX.

Let me know what you want to do exactly so I may be a bit more specific. Most of the stuff is there in the config guide.

Marcin

mambito20 · ‎07-03-2010

Thanks for replying..

This is what i need the pix to do.

1. configure the pix so that it will connect to the internet

2. AT&T is my Dsl Provider.

3. the pix is configured. but is not going out to the internet.

Please Take a look at my config and tell me whats missing. this should be straight forward connection. but is not working.

Thanks.

Marcin Latosiewicz · ‎07-03-2010

Alex,

Are you able to ping anything on the internet from PIX?

(Note: you might need to add "icmp perm any outside" to config)

Note that your NAT seems screwed up. I'll add an edit soon with suggestions.

edit:

no access-list inside_nat0_outbound extended permit ip 74.164.6.8 255.255.255.248 any
no global (AT&T) 101 192.168.1.1-192.168.1.200 netmask 255.255.255.0
no nat (inside) 0 access-list inside_nat0_outbound
no nat (inside) 101 74.164.6.8 255.255.255.248

nat (inside) 1 0 0

global(AT&T) 1 interface

This should make sure that all traffic from inside is being PATed to outside interface's IP address.

edit 2:

If you want to test ICMP from inside to internet add "fixup proto icmp"

mambito20 · ‎07-07-2010

im still runinng into problems. below is my config can you tell me what to change to connect to the Internet?

: Saved
: Written by enable_15 at 21:13:54.534 UTC Wed Jul 7 2010
!
PIX Version 8.0(2)
!
hostname pixfirewall
enable password mW6ETJKBd.1a9jjj encrypted
names
!
interface Ethernet0
nameif Outside
security-level 0
ip address 74.164.6.10 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list inside_access_in extended permit tcp any any eq www
pager lines 24
logging asdm informational
mtu inside 1500
mtu Outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-602.bin
no asdm history enable
arp timeout 14400
access-group inside_access_in in interface inside
route inside 0.0.0.0 255.255.255.0 74.164.6.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
tftp-server inside 192.168.1.22 /cisco
prompt hostname context
Cryptochecksum:

44e94eadfa2d05328020ce6ec29eb580

Marcin Latosiewicz · ‎07-07-2010

Alex,

I would definetly change that route:

route inside 0.0.0.0 255.255.255.0 74.164.6.9 1

to

route inside 0.0.0.0 0.0.0.0 74.164.6.9 1

Secondly:

access-list inside_access_in extended permit tcp any any eq www

You should at least also allow DNS! For your users to be able to browse internet!

But honestly do not apply inbound accless-list on inside interface unless you don't need it.

I don't see any NAT configuration .. so your inside users will not be NATed when going out to the internet.

nat (inside) 100 0 0

global (outside) 100 interface

That should take care of NAT.

Once you apply those changes please apply my sugestions from posts below (pinging fromPIX itself to test connectivity to internet etc)

Marcin

mambito20 · ‎07-08-2010

Hello Marcin,

I'm still working it out. this time i added ppoe . can you please assist. or do you think you can help me offline with this?

Please from the kindness of your heart.

this is the config i have by adding ppoe. what do you think?

Also keep in mind i am using ASDM to configure the box. thanks

Result of the command: "show running-config"

: Saved
:
PIX Version 8.0(2)
!
hostname pixfirewall
enable password mW6ETJKBd.1a9jjj encrypted
names
!
interface Ethernet0
nameif Outside
security-level 0
pppoe client vpdn group AT&T
ip address pppoe
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup Outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 68.94.156.1
name-server 68.94.157.1
access-list inside_access_in extended permit tcp any any eq www
pager lines 24
logging asdm informational
mtu Outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route inside 0.0.0.0 0.0.0.0 74.164.6.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group AT&T request dialout pppoe
vpdn group AT&T localname rafaelpadilla4953@att.net
vpdn group AT&T ppp authentication pap
vpdn username mert2010stw@att.net password *********
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
tftp-server inside 192.168.1.22 /cisco
prompt hostname context
Cryptochecksum:ccc2eb63ab1f84b377509e0e80768326
: end

Marcin Latosiewicz · ‎07-08-2010

Alex,

Considering that we're in different timezones it might be a problem - I'm usually checing forums late at night :-)

Few notes, provided that your pppoe is working I would do this:

-------

interface Ethernet0

ip address pppoe setroute
-----

Now with this in place ASA should put a default route based on what we negotiate via pppoe. 
So you might as well remove old route:
-----
no route inside 0.0.0.0 0.0.0.0 74.164.6.9 1
------

On old bug quite good guide:
http://cisco.biz/en/US/products/ps6120/products_configuration_example09186a0080ab7ce9.shtml
(Both CLI and ASDM)

Marcin