Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1370
Views
5
Helpful
7
Replies

PIX 501 Basic Config

Go to solution
shoesbologna
Level 1
Level 1

‎04-03-2005 05:53 AM - edited ‎02-21-2020 12:03 AM

I'm trying to set up some internet service for some service members here in Afghanistan. We are using commercial internet (provided through satellite) to a modem that goes into my pix 501 firewall.

The service that we've purchased gives us 29 Ip, and right now I have it configured as such.

Modem Gateway: 10.124.48.1

Outside Firewall: 10.124.48.2

Inside Firewall: 192.168.1.1

Global NAT pool: 10.124.48.3 – 30 (the rest of the IP’s that are apart of the package)

Inside host pool: 192.168.1.2 - .33

DNS for inside clients: 192.168.130.30, .50

Everything seems ok, as I've been using the PDM software to enable all ip traffic from the outside to the inside (I know that it's not the safest thing to do ~ and the fact that I've turned a $700 firewall into a $40 router). I can browse the internet, but it acts really weird.

I.E.

I can ping www.msn.com, and msn.com, and it resolves it both times,

But if I put msn.com in Internet explorer, it says page cannot be displayed, but if I hit refresh like five times, it’ll come up. If I browse away from the page, and then try to type in msn.com again (in the same window) I have to hit refresh 5 times again, to get the page to come up.

But, if I type in www.msn.com it usually comes right up.

Even when it says that the page cannot be displayed, I have the pinger running in the background ~ so I know that I can get to it. Weird huh?

I also have a question about the licenses. When I get the pix firewall information, it says “Inside Hosts: 10” but it let’s me have 32 ip’s for the inside hosts. Does that mean that I’m going to have problems when I get more than 10 users going through the firewall? Or can I have as many hosts as ip’s?

Thanks in advance for all of the help.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Patrick Iseli
Level 7
Level 7
In response to shoesbologna

‎04-04-2005 10:11 AM

1.) To tweak the 10 host limitation on the inside network you couold install another device on the inside network that does PAT - Port address translation that hide all IPs behind his outside address.

All PCs -> [Router/PAT device] - [PIX Firewall] - [Router] -> Internet

2.) To buy/pbtain a bigger license write a mail to:

mailto:licensing@cisco.com

Product update:

PIX-501-SW-10-50= PIX 501 10-to-50 user upgrade software license = about 340$ US

PIX-501-SW-10-UL= PIX 501 10-to-unlimited user upgrade software license = about 400$ US

3.) Normal world blocking policy, depends on your Comapny Security Policy, someone have to define one, a lot of companys trust their employes and allow all traffic outgoing. Might be good to block P2P Traffic, Multimedia Streaming stuff but this is not possible with OS 6.3.4 Release. You have to wait for PIX OS 7.0, that is not availbale for PIX 501.

sincerely

Patrick

View solution in original post

0 Helpful

Go to solution
Patrick Iseli
Level 7
Level 7
In response to shoesbologna

‎04-04-2005 06:44 PM

The router before the internet was just an example.

This could be as in your case an ADSL Modem, Cable modem, ADSL Router or what ever it takes to connect to the internet.

No this will not help to get around the 10 user limitation.

sincerely

Patrick

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Patrick Iseli
Level 7
Level 7

‎04-03-2005 07:47 AM

I guess 2 things:

1.) It looks like timeout problemes from your ISP. The Satellite connection might have a delay. How does it react with http://www.google.com. MSN is not really a good point to mesure. What are ping,tracert,traceroute delays, if you have permited this on PIX.

2.) Change your DNS Fixup to unlimited, to see if you may get longs DNS packet responses that are droped on the PIX.

example:

conf t

# Default value is:

fixup protocol dns maximum-length 512

# Change it to:

fixup protocol dns

# or:

fixup protocol dns maximum-length 2048

Change your logging and troubleshooting features:

no fixup protocol http 80

logg on

logging timestamp

logg buff info

show logg

# Enable icmp and access-list for ping, traceroute from internal hosts:

icmp permit any echo-reply outside

icmp permit any echo-reply inside

icmp permit 192.168.1.0 255.255.255.0 echo inside

access-list outside permit icmp any interface outside unreachable

access-list outside permit icmp any interface outside time-exceeded

access-list outside permit icmp any interface outside echo-reply

access-group outside in interface outside

3.) License issue:

Q: Does that mean that I’m going to have problems when I get more than 10 users going through the firewall?

A:10-User License

The Cisco PIX 501 10-user license supports up to 10 concurrent source IP addresses from your internal network to traverse through the Cisco PIX 501. The integrated DHCP server supports up to 32 DHCP leases. As your needs grow, both 50 user and unlimited user upgrade licenses are available, allowing you to extend your investment in Cisco PIX 501 equipment.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080091b18.html

sincerely

Patrick

Go to solution
shoesbologna
Level 1
Level 1
In response to Patrick Iseli

‎04-03-2005 08:05 AM

Patrick,

Thank you for your quick reply.

I think that I currently have everything enabled as I have a permit from outside to inside, using the IP protocol.

I didn't try the www thing with google, but that will be my next test. I'm also going to try hooking directly into the ISP modem (via crossover) and see if I'm still having the same problems.

I've also tried to figure out how to use the GUI to view the logs, but I can't seem to figure it out.

License problem ~ I didn't quite understand what you/cisco is saying. Does that mean that I can DHCP 32 ip's, but only 10 clients can pass traffic between the inside and outside?

I'm going to try some of the stuff that you suggested and then post a config. Which cmd results do you recommend I post?

-James

0 Helpful

Go to solution
Patrick Iseli
Level 7
Level 7
In response to shoesbologna

‎04-03-2005 08:15 AM

Yes, if you have a 10 user license on your PIX 501 then you can not have more then 10 hosts that can connect to the internet on the same time !

To see your log on the PIX, connect the blue console cable on your PIX to your PC serial port. Opne Hyper terminal or MINICOM and Set 9600/N/1. This connects you on the console port.

# Login in enable mode

enable

# show log

show logg

# enter command line mode

conf term

By the way it might not be a good idea to open " ip any any" on the outside interface, as your PC will be full open (exposed) to the Internet if a static mapping is configured.

Anyway the inside network has full access to the internet,if you have not configured an access-list on the inside interface that restrict that connections.

sincerely

Patrick

Go to solution
shoesbologna
Level 1
Level 1
In response to Patrick Iseli

‎04-04-2005 04:25 AM

Patrick,

Thank for the help.

I only have a few more questions.

1) Just to make sure we're on the same page....I can dhcp 32 ip's, but only 10 connections can go through the firewall? If yes ~ would hanging a router off of the firewall sidestep this problem (ie, have the router give ip's out, and then the firewall only sees one connection coming from the firewall?)

2) I've been trying to find out how I can purchase a bigger license...can you point me in the right direction?

3) In a "normal" world, what would the normal stff be that I would allow that would give my users "normal" usage? (ie, internet, im, ftp, java,....stuff like that?) I don't want to leave any holes open.

0 Helpful

Go to solution
Patrick Iseli
Level 7
Level 7
In response to shoesbologna

‎04-04-2005 10:11 AM

1.) To tweak the 10 host limitation on the inside network you couold install another device on the inside network that does PAT - Port address translation that hide all IPs behind his outside address.

All PCs -> [Router/PAT device] - [PIX Firewall] - [Router] -> Internet

2.) To buy/pbtain a bigger license write a mail to:

mailto:licensing@cisco.com

Product update:

PIX-501-SW-10-50= PIX 501 10-to-50 user upgrade software license = about 340$ US

PIX-501-SW-10-UL= PIX 501 10-to-unlimited user upgrade software license = about 400$ US

3.) Normal world blocking policy, depends on your Comapny Security Policy, someone have to define one, a lot of companys trust their employes and allow all traffic outgoing. Might be good to block P2P Traffic, Multimedia Streaming stuff but this is not possible with OS 6.3.4 Release. You have to wait for PIX OS 7.0, that is not availbale for PIX 501.

sincerely

Patrick

0 Helpful

Go to solution
shoesbologna
Level 1
Level 1
In response to Patrick Iseli

‎04-04-2005 06:23 PM

Patrick,

Thanks again for your reply. That is exactly what I was looking for.

I have one more question though.

Is there a reason that you have a router before the internet? Right now I have the firewall directly connected to the modem (of the isp) and am wondering what a another router would do for the service I provide, or does it help getting around the 10 user license thing.

0 Helpful

Go to solution
Patrick Iseli
Level 7
Level 7
In response to shoesbologna

‎04-04-2005 06:44 PM

The router before the internet was just an example.

This could be as in your case an ADSL Modem, Cable modem, ADSL Router or what ever it takes to connect to the internet.

No this will not help to get around the 10 user limitation.

sincerely

Patrick

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card