PIX 506 and DSL not playing well together.

fgoodwin · ‎02-28-2006

We have a remote site that needs to VPN into our network. Since the sessions they use are mostly telnet we went with a DSL line from a local ISP. For firewalling we use a PIX 506 with Ver 6.3 of the software. Our ISP provided us with a static IP for this site. The problem is that the PIX will not obtain the IP address from the ISP through DHCP. If we hook a laptop to the DSL Modem then the internet light on the DSL modem comes on, we then unhook the laptop and plug the PIX in to the DSL Modem and everything works fine until the DSL line goes down. We then must make a trip to the remote site to hook up the laptop to get the Internet light then plug the PIX back in. I know the PIX can obtain a DHCP address since I've hooked it up to a windows server and also ran a freeware DHCP program on the laptop and both instances the PIX obtains the IP address. But when it is hooked to the DSL modem, the PIX comes back that it cannot obtain an address. I've tried hard coding the IP address provided by the ISP into the PIX but internet light will no come on and there is still no connectivity. I recently placed a new PIX 501 on the line and it will not bring up the internet light nor obtain an IP address. Any Suggestions??????

spremkumar · ‎03-01-2006

Hi

What kinda cable you are using to patch up both the DSL Modem and the PIX Firewall port ?

Also what kinda port is provided in the DSL Modem ?

I feel in your case both connectivity and DHCP ip seems to be not working fine..

Can you post out the config of your pix firewall so that it can be checked for the DHCP client configurations..

regds

fgoodwin · ‎03-02-2006

I believe it is a staright through cat 5 cable. I use the same cable with both the PIX and my laptop to connect to the DSL Modem. In Any case, Once the DSL Modem has the DSL light on, I can unplug the laptop, plug in the PIX and everything works fine, so I don't feel it is a cable issue. I've set both the DSL modem and PIX eo interface to 10mpbs half duplex just incase it was an autnegotiation issue but the PIX still not able to obtain the assigned IP address on its own.

palacasino · ‎03-01-2006

Pix firewalls do not work with DSL like they do with cable modem. DSL works over PPoE and you have to setup session on Pix with username and password ISP give you or the one you used for setting up laptop.

Instead of trying to get static IP from DSL provider, try attaching something like Dlink or Linksys after the DSL modem, then attach your laptop to make sure you have internet connection. This is what most people have at home... DSL to Lynksys (i just use this name because i have it, but also have boss with Dlink).

Once you have it setup, then plug patch cable from one open port on your cable modem router to Outside interface of the PIX. Pix will get IP outside from your CM (Cable Modem) router, but will keep all the internal dhcp and dns and other settings on the inside.

For DNS on the Pix (inside) set it to 4.2.2.1 or your ISP dns or even your company outside DNS if you have one. Plug your laptop to PIX 501 one of the open internal port and refresh the IP (ipconfig). You should be getting IP of your internal DHCP on Pix (if you have one setup).

From there on, you should be on the internet. If you have dynamic2static VPN setup, open RDP on your laptop that is connected to pix and try connecting to IP of the server on your end (could your PC at work). If VPN stup correctly, you will see VPN green lite come on and you will have a VPN session.

Long story short... Cable Modem will work with Pix just fine by plugging it directly, however, DSL does not. When you setup DSL, you have to attach one computer to DSL directly, load software DSL vendor gives you and initialize the connection. That connection is PPoE. So this is a quick fix to end the nightmare with DSL.

However, if you feel like spending extra time setting up PPoE on the Pix outside interface (that is fairly easy process with 4 or 5 lines of code) you can do that too. Problem may be is that who ever setup DSL connection from the begining may forget the userID and passsword they set up original connection.

Hope this helps and i know it works, because i just went through it this week setting up ASA5500's to pix501 and Pix 506 dynamic2 static.

Vadim.

fgoodwin · ‎03-02-2006

I guess I should have explained a little more. The ISP set up the DSL modem so that "you do not need to use a username and password to get the PPPOE operational" (That's What they told me). My laptop has no special software to bring up the DSL line. I just plug it in and it obtains the static IP address. I thought perhaps it was a timing issue on the PIX so I set the DHCP to retry 15 times before it would stop trying but that didn't help. For security reasons we want the Static IP since the PIX is setting up a point-to-point VPN to our central location. Also DSL is about 20 to 30 per month cheaper than cable modem.

fgoodwin · ‎04-06-2006

OK folks, Found the answer after several weeks of work. The DSL modem tat the ISP uses has the PPPOE location set to the DSL Modem, meaning the PPPOE username and password are stored on the modem. The DSL modem connects to the ISP, passes the username and password then obtains the static ip from the username and password. After finally getting to the right person at my ISP, he stated that no, in order for the PIX or a Router to work, they must be the ones to bring up the PPPOE session not the DSL Modem. After he walked me through what parameter change (change From PPPOE Location on Modem to PPPOE Location on Computer) and set the PIX to use PPPOE, give the username and password all is Okley Dokley. Just and FYI for anyone else the runs into this.