Re: Is This Possible - Cisco 827 and Cisco PIX-515-UR

PJWHITBY · ‎11-01-2002

I will start by outlining the infrastructure.

Connected to the LAN we have a PIX-515-UR. We run PAT and various access-lists/conduits etc etc on this.

We have just installed an ADSL from Pipex, a Cisco 827 router and amongst other technical details, a single IP address. Now what we would like to do is assign that IP address to the external interface of the PIX, and pass all traffic across the 827 and onto the internet. I can do this if I set up another 'LAN' between the 827 and PIX and assign the public IP address to the 827's ATM0 interface, but I want to assign the public IP address to the external interface of the 515. The 827 for all intents and purposes needs to be invisible to the PIX, a kind of bridge. The service we have subscribed to from Pipex is using VC/MUX framing, ITU G.dmt mode, VPI 0, VCI 38 and using the protocol PPPoA.

It also requires a username and password logon.

Can this be done, can the 827 act as a transparent-bridge, whilst at the same time passing the relevant username/password to the ISP. I have tried numerous configs and read what feels like millions of webpages to no avail.

If anybody needs any further info on the setup please contact me, or post here for answers.

Many thanks to anybody who replies.

Paul Whitby

smalkeric · ‎11-07-2002

I am not sure whether you are having a static IP address. If its static,you can configure that as the outside interface ip of PIX,

and configure the 827 with a bridge group with both the ethernet and ATM interface, falling in the same bridge-group number

For example:

bridge 1 protocol ieee

int fa0/0

bridge-group 1

int atm0

bridge-group 1

Cisco 827 can act as a transparent bridge in this manner.

PJWHITBY · ‎11-07-2002

We have a single static IP address and as you state I want to use it on the outside interface of the PIX. I have tried a bridge group on the E0 and ATM0 interfaces of the C827 but this didnt work, I presume because the ISP requires a username/password to be passed by the C827. What I need to know is if you can use the the C827 with a bridge-group between the E0 and ATM0 interfaces and at the same time pass a username/password, when required, to the ISP from the C827. I think it needs a Dialer interface, but do I then need to re-assign the bridge-group interfaces?

Any enlightenment would be greatfully received.

Smalkeric, thanks for your answer, much appreciated

Paul

s.townsend · ‎11-27-2002

A similar situation here with 2600 router and pix 515e. Could you post the configs if you get this.

much thanks

andrew.butterworth · ‎12-15-2002

I have a similar set-up although I am using a different firewall. This is what I do.

The 827's PPPoA interface has the 'real' IP address, the Ethernet interface has a private IP address (10.1.1.1/29), the firewalls 'outside' interface is connected to this via a Cross-Over cable and is in the same subnet (10.1.1.2/29). The 827 is configured to NAT everything to/from the Firewall using its PPPoA interface IP address:

interface ethernet0

ip address 10.1.1.1 255.255.255.248

ip nat inside

!

interface dialer1

ip address x.x.x.x

ip nat outside

!

ip nat inside source 10.1.1.2 x.x.x.x (real ip address)

When configuring the PIX, treat the private outside IP address as you would

a 'real' public one. If the PIX is performing NAT (my firewall is) then you are performing NAT twice; once on the PIX and then again on the 827 - I haven't found this to be a problem though.