02-04-2003 08:17 AM - edited 02-20-2020 10:32 PM
I am trying to install a pix 515 firewall between my dsl router (used for internet access only) and my network. My network has a public address as you can see. Sprint told me to assign 192.168.1.1 to the 642R router and 192.168.1.2 to the outside of the pix.
With the router configured with one of my public ip adresses and assign that address as the gateway to the workstations (without the pix installed) I can access the internet. When I install the pix and configure as follows, I cannot access the internet from any of my workstations. Could someone please take a look at the following PIX 515 config and the ZyXel-Prestige 642R (sprint) router config and tell me what I am doing wrong.
Thanks, Steve.
gateway on the workstations =128.23.176.142
My ZyXel-Prestige 642R router config is:
Route IP=yes
Bridge=no
DHCP Setup=none
TCP\IP setup
ip address=192.168.1.1
subnet mask=255.255.255.0
rip direction=none
multicast=none
IP policies= (blank)
edit ip policies=no
Bridge Setup
handle IPX=none
Internet Access Setup
ISP's name=ELAN
Encapsulation=PPPoE
Multiplexing=LLC-based
VPI # = 8
VCI # = 35
Single user account= yes
IP address asignment=dynamic
ip address= n\a
ENET ENCAP Gateway= n\a
My configuration for the pix 515 is:
nameif eO outside security0
nameif e1 inside security100
interface e0 auto
interface e1 auto
ip address outside 192.168.1.2 255.255.255.0
ip address inside 128.23.176.142 255.255.255.0
hostname Internetfirewall
arp timeout 14400
no failover
names
pager lines 24
logging buffered debugging
nat (inside) 1 128.23.176.0 255.255.255.0
global 1 192.168.1.3
rip inside default
no rip inside passive
no rip outside default
no rip outside passive
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server community public
mtu outside 1500
mtu inside 1500
02-04-2003 08:29 AM
It looks okay for internet access. Did you restart the sprint router when you added the PIX? I have run into an issue in the past when adding a PIX with an ISP Router that was already running. I had to reboot the IPS Router, then the PIX started working. I don't know why it did it, because I have added PIX's before without rebooting the other Router and have them work. I have notice I always have to Reboot the COX Routers when I add a PIX.
02-04-2003 06:30 PM
Hey thanks, but no luck. I tried rebooting after I read your reply but nothing. I get a dynamic ip from sprint, is that anyway contributing to this problem. I can't believe this is this difficult. What about bridging the router and useing PPPoE to send username and password out to bet assigned. Does thismake sense foe pix ver 6.1 (4)?
Any help?
02-05-2003 12:11 PM
I would guess that the DSL router is not setup for NAT. In that case you have 2 options.
1-Setup the pix to do your NAT and use the public addressing on the outside of the pix.
2-Setup the pix to not do NAT by using the "nat 0 128.23.176.0" command. But then you have to tell the DSL router how to route to that network. You might have to enable rip on the Zyxel router for inside and set up rip on the outside for the Pix.
Personally I would go with option 1. Unless you have a reason for public addressing on your internal network.
02-06-2003 05:03 AM
Can you ping internet hosts from the DSL router?
We use an Efficient Networks Speedstream DSL router, and I had to turn ALL filtering off to get it to work properly.
We use a PIX 520 behind it for all internal user traffic to route through.
Once I could ping from the router, and from the PIX behind the router, all I did was set the default gateway of the users to the inside address of the PIX (with NAT running), and everything works happily.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide