05-20-2009 04:50 AM - edited 03-11-2019 08:34 AM
Hi,
I could do with a little help with some kit I've recently acquired. I have a PIX 501 with a Linksys DSL
modem (adsl2mue) between it and my ISP. The modem is a DHCP client of my ISP and DHCP server for the PIX
outside interface. The PIX inside interface is also a DHCP server. I connect a laptop to the inside
interface of the PIX.
The IP address of the modem is 192.168.1.1 and it has a web front end for configuration, resolvable at
this address via http. The modem connects (RFC 2364 PPPoA) successfully to the internet via my ISP and is
allocated an IP address. The PIX outside interface is allocated a DHCP IP address of 192.168.1.2, as
expected, by the modem. My laptop is correctly allocated an IP address 10.0.0.30 in the DHCP range of the
inside interface of the PIX.
From my laptop, I can ping the IP address of the inside interface of the PIX 10.0.0.1. I can also ping
the IP address of the modem 192.168.1.1.
I can't ping the IP address allocated to the laptop by the inside interface of the PIX (yes, from the
laptop??). I can't ping the IP address of the outside interface of the PIX. I believe I should be able to
ping both of these. I can resolve the modems web front end on my laptop in a web browser but can't
resolve any internet page.
This is confusing me as I don't know whether the issue is with the modem, the PIX or they way I have them
configured them to use them together. The current config of the PIX is below. Any suggestions or comments
about this setup/config would be much appreciated. Thanks in advance.
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group icmp-type ICMP-INBOUND
description Permit necessary inbound ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
access-list INBOUND permit icmp any any object-group ICMP-INBOUND
pager lines 24
logging console debugging
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group INBOUND in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.30-10.0.0.60 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Thanks
Pat
05-20-2009 06:23 AM
Check a couple of things:
DNS isn't being assigned to you from the PIX, so make sure you have a DNS server set up on your laptop. You won't be able to ping the outside interface of the PIX from the inside of the network, but you should be able to ping the pix from the workstation. Try pinging 4.2.2.1 and see if that resolves correctly. If it does, then nat is happening. You really don't need nat since the modem is handing the ip address to the pix, so you should be able to turn it off.
no global (outside) 1 interface
no nat (inside) 1 0 0
If that breaks your stuff, then put it back, but you should be fine because the modem knows how to get to the 192.168.1.x subnet on the inside of it's network.
To have the pix assign you an address, you can do:
dhcpd dns 4.2.2.1
That should allow you to get on the internet should the ping to 4.2.2.1 work.
HTH,
John
05-20-2009 08:22 AM
Hi John,
Thanks for the advice and prompt reply. I'm not at the device at the moment but I'll try what you suggest later on.
I'm pretty sure the modem is doing NAT on its interface to the ISP.
My ISP has a comment on its website about DNS and says if I do need to manually assign DNS settings to use 211.104.215.9 and 211.104.215.65 (sample IP addresses) and that they may change from time to time.
Should I have these DNS addresses assigned by the PIX to my laptop, rather than 4.2.2.1 as you suggest?
Thanks again,
Pat
05-20-2009 08:23 AM
Pat,
Yes, you should use their DNS settings. :)
HTH,
John
05-20-2009 02:31 PM
Hi John,
That worked fine. Thanks a lot for your help.
I pinged 4.2.2.1 successfully with the original config I posted. I then made the changes you suggested but had to leave the nat and global statements in the config for it to work.
global (outside) 1 interface
nat (inside) 1 0 0
This is the first step on a bit of a journey for me to try and string some Cisco network kit together. I have a 2651XM router with a WIC-1ADSL card in as well which I want to eventually replace the modem with, and a switch to put behind the PIX, so there's lots of fun and games to be had yet. I believe the WIC-1ADSL will work but I need to read a little around it first before I come back here to ask some questions.
This has been a giant leap forward for me however. Thanks again.
(I still can't ping the laptops IP address from the laptop???)
Pat
05-20-2009 02:42 PM
Hi All,
As an alternative, you could always bridge the modem and use the pix to authenticate onto the ISP network. The following commands input a username and determine the dialout and authentication methods.
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname username@ISP.com
vpdn group pppoe_group ppp authentication chap
vpdn username username@ISP.com password user_password
The username and password are the ISP authentication details. They'll be provided by the ISP, or located in the modem router thing.
You would also have to tell the pix to get it's outside IP address via pppoe, and to set the default route at the same time.
ip address outside pppoe setroute
Using this configuration, you would have to make the pix the DHCP server for your workstations. In doing that you have to ensure there is a valid DNS server or two handed out to the clients.
You would also have to have a nat in place.
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
This method would effectively turn the pix into the router for your site. Personally I think it is simpler for the following reasons:
1. Only one NAT
2. All administration can be done on the pix itself
3. If it breaks, only one place to troubleshoot
4. If you ever decide to make the pix a vpn end point, then there's no messy port forwards you need to put in place on the modem/router thing; as the pix is directly on the internet
Bear in mind though, if you do bridge the modem and put in this solution, the only way you will be able to access the modem would be its console port (assuming it has one). Layer 3 connections won't work (eg http, telnet etc). In effect, this solution basically turns the modem into a transmission converter.
Anyway, whichever way you go about it, good luck!
Brad
05-21-2009 03:42 AM
Hi Brad,
Thanks for taking the time to reply to this and for your suggestion, particularly around a VPN.
My ISP has said that PPPoE clients are not supported by them, though one of my colleagues has said that his ISP, both UK ISP's by the way, said the same thing, that it supports PPPoA and not PPPoE , but when he tried it as PPPoE, it worked. The modem certainly can be configured for PPPoE (RFC 2516 PPPoE) and its worth a try with the modem first to see if it works.
The modem also supports a couple of forms of bridging, 'Bridged Mode Only' and 'RFC 1483 Bridged' but it looks like there may have been issues with using them in the UK. My ISP may also have a view about this. Again both are worth a try and I'm not bothered about losing access to the modem (it has no console port) because I believe it can be recovered to factory defaults if it doesn't work.
I have no DNS server on my inside network at the moment but I'm sure there's a free one I can download and install.
Eventually, its possible the PIX could be a VPN endpoint and I take your suggestion about the simplicity of managing the connection using the PIX as a router, though I have an edge router with a VPN module and WIC card installed which means, I believe, that I can eventually dispense with the modem altogether. The PIX I expect to be in the network still, in this scenario, but behind the edge router, which will have a static route to it. Achieving this is well beyond the scope of my knowledge currently so excuse me if I'm full of fluffy idea's that are not articulated very well. I have a lot to learn about this and really appreciate any help and suggestions.
Thanks again
Pat
05-21-2009 01:42 PM
Pat,
No worries at all, glad to see you're getting into it!
Brad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide