Basic Questions, Initial configuration of 506E

prounds · ‎07-03-2006

I'm restarting a post, because I think my questions are more basic than the one I actually posed.

Let's say my Firewall is behind a router, the router configured as

192.168.1.0, 255.255.255.0 and I want to assign a block of IPs to my 506e firewall.

What do I set the outside IP address, SNMask of the firewall?

I recently tried 192.168.0.241, 255.255.255.0 and it fixed up most of the problems I was having, but now users behind the firewall couldn't get out, and some, but not all, users in the 192.168.0.1 subnet lost access to the internet.

I tried configuring the firewall to

192.160.0.241, 255.255.255.240, and couldn't get access to servers behind the firewall. When I changed the 255.255.255.240 to 255.255.255.0, I could get access to the 'protected' servers, but with the problems listed above.

a.kiprawih · ‎07-05-2006

Hi,

Your PIX's outside interface should use any unused IP from the 192.168.1.0 255.255.255.0 (/24) subnet, e.g if router fastethernet is 192.168.1.1, then PIX's outside IP is 192.168.1.2 or 192.168.1.241. Use the same netmask of 255.255.255.0 for both.

Set the PIX's default route to the router IP, e.g "route outside 0 0 192.168.1.1 1".

If some users behind firewall couldn't access internet, check the "nat" statement. What the IP range, subnet or individual hosts allowed? Verify the "global" statement IP used as translation IP to go out, e.g:

global (outside) 1 192.168.1.10-192.168.1.100

nat (inside) 1 192.168.0.0 255.255.255.0

BTW, all servers/hosts behind firewall must point to Firewall inside interface IP as gateway. Pls make sure the netmask is consistent as well (255.255.255.0).

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ab.html#wp1032129

Anyway, what your firewall config looks like?

Rgds,

AK