To be honest I am so confused with this so please bear with me.

I dont mean to offend anyone here but the earlier post says you dont need to assign a ip address which is concerning as we currently do have one assigned on the BT router though I cannot access it I know there is as I can even ping from the public side.

Secondly why woul dI need ot edit the pix config as long as I try to configure the ADSL rotuer in the correct manner OR the similar fashion it works right now with the BT rotuer.

I am sure Cisco rotuers can do either similar OR MORE features than compared to a BT rotuer.

I did post my pix config primarly coz if somone can post me a config for the new ADSL 877 if at all possible :)

I am still at a beginners state so trying to get my head around all the terminology.

Further to that I dont intend to create a new network between the pix and BT rotuer (none exisit currently either) so I will need to in a way either share the same ip on the outside and inside interface on the 877??? am I making sense please feel free to stop me if I am not.

cheers

If BT have given you a static address range (typically a /29) then you:

Remove bridging config.

put static address range on ethernet0 of the 877.

Use "ip address negotiated" on Dialer interface.

2nd IP from static address range goes on PIX.

default route from PIX points to Ethernet0 on 877.

You can do it either way that you are comfortable with, as long as you understand what you did. You can go the bridging route or traditional way with router as l3 device in front of the FW.

Hi .. let's clarify a couople of things .. are you trying to connect to the Internet as below:

local LAN->PIX->877 router->Internet

If this is correct then please answer these questions:

1.- Have you been given a public range to be used for the outside interface of the PIX or are you planning on using a private IP address ..?

2.- Are you saying that it works OK when connected

local LAN->PIX->BT router-> Internet ..?

Note: We have not yet purchased a 877 but planning too do so...

The pix has more than 5 ip add i.e. the config attached earlier is a live working config ....

*.*.*.1 Outside

*.*.*.2 webserver published

*.*.*.3 SMTP published

*.*.*.4 spare

*.*.*.5 spare

*.*.*.6 BT ADSL router (default gateway for pix)

We will be replacing the BT router with a 877.

So we want to ensure the rotuer allows all traffic and only works as a ADSL side of things like the current BT rotuer does.

We do not have any seprate networks between the outside of PIX and BT rotuer

(LAN)cisco 3750--pix inside10*.*.*---outside*.*.*.1--BT rotuer*.*.*.6

all clients Default gateway is the isnide of the pix 10.*.*.*

I hope this answers all the queries.

cheers

Did we finalyze a config on this ?

I hope I am not being a pain :)

cheers

The jist of the 877 config is below, but you should add security to this.

interface Ethernet0

ip address *.*.*.6 255.255.255.248

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

hold-queue 224 in

interface Dialer1

ip address negotiated previous

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname BT_CHAP_USERNAME

ppp chap password BT_CHAP_PASSWORD

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

dialer-list 1 protocol ip any

grant.maynard

Thank you so much for taking the time to post this config. I have rated that post as well.... :)

The way I understnad the config is that I need to assign the internal eth0 interface the static ip range *.6 :) and the ADSL dialer will be on DHCP...

Everyone on the public side will still be able to find routes to our pix or any hosted services am I correct in saying that ?

As for security do I really need any ACL's on this rotuer ? as the pix is intended to take care of that entirely so we can leave all ports open inbound?

cheers

take a look at the following link:

http://www.cymru.com/Documents/secure-ios-template.html

I would suggest you follow those instructions for your router facing the Internet.

yes, dialer1 will have a different IP and BT will know to route to your /28 via the Dialer1 IP. It's all set up on their AAA server.

Always put ACL on vty and SNMP. I also always disable http server and put anti-spoof (RFC whatever) ACL inbound on dialer1.

And disable unneccessary services e.g finger etc. Easiet thing to do here is run 877 through SDM and follow its suggestions. Obviously you have to enable http server for this, then disable it by CLI after.