Getting Started with PIX 506

Answered Question
Mar 21st, 2007

First of all, thank you for remembering when you first started with PIX appliances...

I recently purchased a pre-owned PIX 506 running software version 5.1(2). I am currently unable to upgrade this software since I do not have the apprpriate 'service contract', so I am stuck with this software version.

Although I did receive the manual 'Configuration Guide for the Cisco PIX Firewall Version 5.1', I am a bit lost with this firewall.

My network:

ADSL Router (ISP Provided) =>PIX=>Switch=>Network

Subnet: 192.168.254.0/24

Netmask: 255.255.255.0

Static External IP assigned by ISP:74.41.202.106

Questions:

1) The 'inside' interface should be a LAN assigned IP? (Ex. 192.168.254.3)

2) What should the 'outside' interface be set to?

Correct Answer by vitripat about 9 years 11 months ago

So I should set the following:

1) Inside Interface IP: 192.168.254.2

- Yes.

2) Outside Interface IP: 192.168.254.3

- No. The outside interface and inside interface cannot be in same subnet. You should use 74.41.202.106 on the outside interface of PIX and connect the outside interface to the ADSL modem.

3) PIX Gateway IP:192.168.254.1 (since this is the LAN IP of the router)

- Not sure where is this router placed. Is your ISP terminating currently on this router? What type of connection do you have .. PPPoE/PPPoA/DSL etc?

Also, it seems that you already have a network setup with ISP terminating on the router and internal network connected to the 192.168.254.1 interface. Now you are trying to place a PIX in between. Let me know if this is the situation.

Regards,

Vibhor.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
vitripat Wed, 03/21/2007 - 08:34

Questions:

1) The 'inside' interface should be a LAN assigned IP? (Ex. 192.168.254.3)

- Yes, inside interface should be in 192.168.254.0/24 subnet. You can choose any free IP and make it as the gateway for the internal network.

2) What should the 'outside' interface be set to?

- "Static External IP assigned by ISP:74.41.202.106", as this is the IP given to you by your ISP, this should be on the outside interface of PIX. However, they must have also provided the subnet mask and the gateway IP. Please use the subnet mask while configuring IP address on outside interface, and use the gateway_IP as such:

route outside 0 0 gateway_ip

With this command in, PIX will know where to route traffic for internet.

Hope that helps.

Regards,

Vibhor.

huynhkhay Wed, 03/21/2007 - 08:36

Hi,

1) correct

2) If 74.41.202.106 is the ADSL router address, you should set the "outside" interface to an address in the same subnet of your ADSL Router. And your default gateway on your PIX will be the ADSL Router.

Hope it helps

srberg5219 Wed, 03/21/2007 - 09:10

Here is my subnet structure:

Router LAN IP: 192.168.254.1

* 74.41.202.106 IP is the static IP I lease from my ISP for access to my web servers/email servers FROM the internet.

So I should set the following:

1) Inside Interface IP: 192.168.254.2

2) Outside Interface IP: 192.168.254.3

3) PIX Gateway IP:192.168.254.1 (since this is the LAN IP of the router)

My gartitude ahead of time...

Correct Answer
vitripat Wed, 03/21/2007 - 09:20

So I should set the following:

1) Inside Interface IP: 192.168.254.2

- Yes.

2) Outside Interface IP: 192.168.254.3

- No. The outside interface and inside interface cannot be in same subnet. You should use 74.41.202.106 on the outside interface of PIX and connect the outside interface to the ADSL modem.

3) PIX Gateway IP:192.168.254.1 (since this is the LAN IP of the router)

- Not sure where is this router placed. Is your ISP terminating currently on this router? What type of connection do you have .. PPPoE/PPPoA/DSL etc?

Also, it seems that you already have a network setup with ISP terminating on the router and internal network connected to the 192.168.254.1 interface. Now you are trying to place a PIX in between. Let me know if this is the situation.

Regards,

Vibhor.

acomiskey Wed, 03/21/2007 - 09:23

diagram is in his first post. it appears to be adsl router not modem. I assume 74.41.202.106 is the address on outside of router so he cannot make this pix outside.

srberg5219 Wed, 03/21/2007 - 09:29

This firewall is being integrated into an existing network where the router's IP (192.168.254.1) was set as the 'Default Gateway' on workstations and servers (Windows based) and as the 'forwarding' address in Windows DNS.

Physically, here is my layout before PIX:

===Internet===

|

|

===Router=== (LAN IP of 192.168.254.1)

|

|

===Switch=== (unmanaged)

|

|

===Network=== (Web/Email servers-IPs set)

I am placing my PIX AFTER the router:

===Internet===

|

|

===Router=== (LAN IP of 192.168.254.1)

|

|

===PIX 506===

|

|

===Switch=== (unmanaged)

|

|

===Network=== (Web/Email servers-IPs set)

**Connection type is PPPoA

vitripat Wed, 03/21/2007 - 09:36

Thanks for the updates. However, in this scenario, we will have some major changes ..

As I mentioned earlier, outside and inside interfaces of PIX cannot be in same subnet, thus, if we place PIX in between, we will have to change the network addressing on whole internal network.

LAN IP of router will remain 192.168.254.1, which will also be the gateway IP of the PIX. You can assigne PIX outside interface any free IP in the same subnet. Now we need to give inside interface a totally new subnet and whole of your internal network will also be in the same new subnet as of PIX's inside interface. Let me know if this suits you.

Regards,

Vibhor.

srberg5219 Wed, 03/21/2007 - 09:46

So if I understand correctly, this will be my setup:

1)Router IP: 192.168.254.1

2)PIX OUTSIDE interface: 192.168.254.2

3)PIX INSIDE Interface AND whole internal network: New subnet of 192.168.253.0/24.(or whatever new subnet I want to assign)

acomiskey Wed, 03/21/2007 - 11:29

If it were me, I would ditch the dsl router, get a dsl modem, assign 74.41.202.106 to the outside of pix, 192.168.254.1 to inside and be done with it. Then you won't have to change anything on the inside. Unless of course, you need an outside router. And it may have been easier to just change the transport network between the outside router and pix, rather than change your inside network.

Actions

This Discussion