|
Posted by on February 18, 2005, 9:22 am
If you were Registered and logged in, you could reply and use other advanced thread options
I am a newbie, trying to set up a PIX 501 behind a DSL modem. My
network works fine without the PIX 501 in play, but when I put it in
place I cannot access the internet. I tried the default configuration
and had IP addresses of 127.0.0.1 on both the inside and outside ports.
My config files is as follows.
Result of PIX command: "write terminal"
Building configuration...
: Saved
:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password <...> encrypted
passwd <...> encrypted
hostname pixfirewall
domain-name pix.firewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.2 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.50 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:babfa09088097226fb85182ae8e15456
: end
[OK]
Any help would be greatly appreciated.
|
  | |
Posted by Merv on February 18, 2005, 10:00 am
If you were Registered and logged in, you could reply and use other advanced thread options
Did your ISP provide you with a user id and password ?
If so then they are probably using PPP over Ethernet (PPPOE)
For that you would need to add something like the following to your
config:
username <ISP provided user id> password <ISP provided password>
vpdn enable
vpdn group DSL request dialout pppoe
vpdn group DSL localname <ISP provided user id>
vpdn group DSL ppp authentication < pap | chap - ask ISP tech support>
ip address outside pppoe setroute
|
|
Posted by Walter Roberson on February 18, 2005, 5:44 pm
If you were Registered and logged in, you could reply and use other advanced thread options
:network works fine without the PIX 501 in play, but when I put it in
:place I cannot access the internet.
Is the DSL modem itself doing NAT (network address translation) ?
If not, then you probably need
ip address outside dhcp setroute
instead of assigning the 192.168 IP. The 192.168 IP you have
assigned to the outside address is not routable, so if that's
the IP that is being passed to your ISP, nothing would be able
to answer.
Also, most DSL providers require that you present login
credentials. When you have your network directly attached,
you are probably running PPPoE software that automatically
sends the login information to the DSL provider; if so then
you will need to configure in to the PIX.
--
This signature intentionally left... Oh, darn!
|
|
Posted by adrien_t@hotmail.com on February 18, 2005, 10:00 am
If you were Registered and logged in, you could reply and use other advanced thread options
router. the PPPoE software is running on the DSL Modem. The crazy part
is that I cannot even ping the outside port of the PIX from the inside
port of the PIX. This is why I feel the problem lies withing the PIX
router.
|
|
Posted by Walter Roberson on February 18, 2005, 6:11 pm
If you were Registered and logged in, you could reply and use other advanced thread options
From: roberson@ibd.nrc-cnrc.gc.ca (Walter Roberson)
Newsgroups: comp.dcom.sys.cisco
Subject: Re: PIX 501 Issues
Date: 18 Feb 2005 18:16:03 GMT
Organization: National Research Council Canada - Conseil national de rechereches
Canada
Lines: 21
NNTP-Posting-Host: zeno.ibd.nrc-cnrc.gc.ca
X-Trace: canopus.cc.umanitoba.ca 1108750563 20352 192.70.172.31 (18 Feb 2005
18:16:03 GMT)
X-Complaints-To: abuse@cc.umanitoba.ca
NNTP-Posting-Date: 18 Feb 2005 18:16:03 GMT
Originator: roberson@ibd.nrc-cnrc.gc.ca (Walter Roberson)
Path:
alt.athenanews.com!feed5.newsreader.com!newsreader.com!border2.nntp.dca.giganews.com!nntp.giganews.com!wn14feed!worldnet.att.net!207.35.177.252!nf3.bellglobal.com!snoopy.risq.qc.ca!newsflash.concordia.ca!canopus.cc.umanitoba.ca!not-for-mail
Xref: 1650-01 comp.dcom.sys.cisco:197334
|
| Similar Threads | Posted | | PIX DMZ issues | December 3, 2004, 5:02 pm |
| NBX 100 Issues | March 21, 2005, 12:17 pm |
| 503 dmz+vpn issues | December 14, 2005, 11:19 am |
| 503 dmz+vpn issues | December 14, 2005, 11:19 am |
| NAT issues | March 12, 2007, 9:29 pm |
| VPN Issues on 837 | March 23, 2007, 9:08 am |
| ASA OS QA issues?? | May 30, 2007, 1:18 pm |
| BGP issues | June 27, 2008, 3:59 pm |
| argh!!! more acl issues | August 16, 2004, 4:46 pm |
| Serious Cisco issues | August 19, 2004, 3:39 pm |
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map