Re: Best IP Address Config for Router and PIX

anthonym · ‎08-23-2006

Our current network setup is:

Internet--->router--->pix506e->local network

The router in use is ISP provided, and very simple, it has a single public IP x.x.x.185.

Outside on the PIX is set to x.x.x.188 and inside is 192.168.93.1.

The internal subnet is 192.168.93.0/24

We have acquired a 1721 router, which has two interfaces.

I have set Dialer0 to x.x.x.188, and FastEthernet0 to 192.168.93.10. In this case I can ping external IP addresses from the router, but not the PIX.

How do I set this up such that the pix can be accessed at x.x.x.188, through the 1721?

zhiqiang.yan · ‎08-23-2006

Hi,

you need to set NAT in your router, because the ip of f0 is your internal address, internet doesn't it.

anthonym · ‎08-23-2006

With NAT set in the 1721 will the PIX be accessable as x.x.x.188?

I would like initially to replicate the current set-up, the other public addresses will be used later for more services from the inside.

zhiqiang.yan · ‎08-23-2006

Oh, your PIX outside address is x.x.x.188, but it connects to 1721 Fa0, the ip of fa0 is 192.168.x.x?

I think you should setup a public in the fa0, or your outside address is 192.168.x.x.

if fa0 is public address, the nat/pat should be set up in PIX. I guest you did.

anthonym · ‎08-23-2006

My confusion comes from the fact that the current router has only one IP, the public one, whereas the 1721 seems to need two.

If Fa0 is set to a public address, what happens to the address on the ADSL interface?

The current config is below:

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname xxxx

!

boot-start-marker

boot-end-marker

!

logging console emergencies

enable secret 5 xx

enable password 7 xx

!

no aaa new-model

!

resource policy

!

clock timezone BST 1

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

no ip source-route

no ip gratuitous-arps

!

no ip dhcp use vrf connected

!

ip cef

no ip bootp server

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

hold-queue 224 in

pvc 0/38

protocol ip x.x.x.191 broadcast

dialer pool-member 1

protocol ppp dialer

!

interface FastEthernet0

ip address 192.168.93.10 255.255.255.0

speed auto

full-duplex

no cdp enable

!

interface Dialer0

ip address x.x.x.185 255.255.255.0

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname xx

ppp chap password 7 xx

!interface Dialer1

no ip address

no cdp enable

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

!

dialer-list 1 protocol ip permit

no cdp run

!

control-plane

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

password 7 xx

login

!

no process cpu extended

no process cpu autoprofile hog

sntp server 192.168.93.4

end

zhiqiang.yan · ‎08-23-2006

So, I know what you have.

(1)

setup a ip 192.168.93.x/24 on the fa0 of 1721, and config pat on the router.

pix set as Transparent mode. no ip on the pix.

or (2)

set ip 192.168.1.1/30 on the fa0 of 1721.

set ip 192.168.1.2/30 on outside of pix.

ip 192.168.93.x/24 on inside

set route 192.168.93.x/24 to 192.168.1.2 on router

set route 0.0.0.0 to 192.168.1.1 on pix

set pat on router

anthonym · ‎08-24-2006

I will try the second option this evening, as this is a production network.

Is it possible to do the first option on a PIX506E? If so, I do not know how.

I am sure I am making this sound more complicated than it is, this should be a simple task I am sure.

From the ISP I am given an IP range x.x.x.185-191 with 185 as the gateway. If I were to only use public addresses how would I set up the 1721?

i.e. Server (x.x.x.188)->1721->Internet

I should be able to work out the rest from there.