11-12-2010 06:33 PM - edited 03-11-2019 12:08 PM
Hey guys, I'm configuring a PIX 501 for my office. The firewall will be connected to my router. Anyway, my company has no static IPs. All our outgoing traffic are assigned IPs by our ISP. So, can someone take a look at my below config and see if it'll work? Thanks in advance. The default gateway is 192.168.3.254 and our internal hosts are assigned IP by our DHCP server at 192.168.3.200.
ip address outside 0.0.0.0 255.255.255.255
ip address inside 192.168.3.1 255.255.255.0
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.3.254
I'm using IOS 6.1(4).
Solved! Go to Solution.
11-12-2010 08:10 PM
Hilmay, You cannot have the same subnet on both sides. You will have to change the ip of the router or the hosts. Set th e inside ip of the pix to be 3.254 and then change the router to be 192.168.4.254 and the outside of the pix to 192.168.4.1. Set thebdefault route of the pix to be the router. - magnus
Posted from my mobile device.
11-12-2010 06:53 PM
Hilmy, You cannot hairpin traffic of 6.x pix. I'm not sure what your trying to do with the pix... Shouldn't the router be connected to the Outside interface? Do you have a topology diagram? -Magnus
Posted from my mobile device.
11-12-2010 07:48 PM
Hi Magnus, yes, the router is connected to the firewall's outside interface (e0) and the firewall's inside interface (e1) is connected to the switch. I just changed the PIX outside interface to 192.168.3.253/24 and the inside interface to 0.0.0.0 255.255.255.255. My inside hosts are in the 192.168.3.0/24 network. Currently, I have no internet if I put in the firewall but if I connect the router directly to the switch, there is internet. I've attached a network diagram.
ip address outside 192.168.3.253 255.255.255.0
ip address inside 0.0.0.0 255.255.255.255
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.3.254
11-12-2010 08:10 PM
Hilmay, You cannot have the same subnet on both sides. You will have to change the ip of the router or the hosts. Set th e inside ip of the pix to be 3.254 and then change the router to be 192.168.4.254 and the outside of the pix to 192.168.4.1. Set thebdefault route of the pix to be the router. - magnus
Posted from my mobile device.
11-13-2010 06:46 AM
Here is what Magnus is asking you to do. Since the inside dhcp and other hosts are already configured you should change the pix's outside interface ip and the router's ip address.
You should keep inside and outside on completely diff. subnet.
topology:
inside hosts--192.168.3.x---(192.168.3.253/inside)--PIX--(outside/192.168.4.253)---(192.168.4.254)router----internet
On the pix make the following changes:
ip address outside 192.168.4.253 255.255.255.0
ip address inside 192.168.3.253 255.255.255.0
route outside 0 0 192.168.4.254
On the router change the following under the interface section:
ip address 192.168.4.254 255.255.255.0
-KS
11-13-2010 06:53 AM
Yeah, I understood what Magnus meant. Thanks Magnus and Sankar. Will do the neccessary changes once I'm in office on Monday coz I don't have the password for the router. It's not a Cisco router so I can't recover the password. If it was, I could have. I'll get the password from my boss on Monday. Once again, thanks guys!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide