Possible PIX 501 issue

Unanswered Question
May 20th, 2009

Hi,

I could do with a little help with some kit I've recently acquired. I have a PIX 501 with a Linksys DSL

modem (adsl2mue) between it and my ISP. The modem is a DHCP client of my ISP and DHCP server for the PIX

outside interface. The PIX inside interface is also a DHCP server. I connect a laptop to the inside

interface of the PIX.

The IP address of the modem is 192.168.1.1 and it has a web front end for configuration, resolvable at

this address via http. The modem connects (RFC 2364 PPPoA) successfully to the internet via my ISP and is

allocated an IP address. The PIX outside interface is allocated a DHCP IP address of 192.168.1.2, as

expected, by the modem. My laptop is correctly allocated an IP address 10.0.0.30 in the DHCP range of the

inside interface of the PIX.

From my laptop, I can ping the IP address of the inside interface of the PIX 10.0.0.1. I can also ping

the IP address of the modem 192.168.1.1.

I can't ping the IP address allocated to the laptop by the inside interface of the PIX (yes, from the

laptop??). I can't ping the IP address of the outside interface of the PIX. I believe I should be able to

ping both of these. I can resolve the modems web front end on my laptop in a web browser but can't

resolve any internet page.

This is confusing me as I don't know whether the issue is with the modem, the PIX or they way I have them

configured them to use them together. The current config of the PIX is below. Any suggestions or comments

about this setup/config would be much appreciated. Thanks in advance.

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ***** encrypted

passwd ***** encrypted

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group icmp-type ICMP-INBOUND

description Permit necessary inbound ICMP traffic

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

access-list INBOUND permit icmp any any object-group ICMP-INBOUND

pager lines 24

logging console debugging

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 10.0.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group INBOUND in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.0.0.30-10.0.0.60 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80

Thanks

Pat

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Wed, 05/20/2009 - 06:23

Check a couple of things:

DNS isn't being assigned to you from the PIX, so make sure you have a DNS server set up on your laptop. You won't be able to ping the outside interface of the PIX from the inside of the network, but you should be able to ping the pix from the workstation. Try pinging 4.2.2.1 and see if that resolves correctly. If it does, then nat is happening. You really don't need nat since the modem is handing the ip address to the pix, so you should be able to turn it off.

no global (outside) 1 interface

no nat (inside) 1 0 0

If that breaks your stuff, then put it back, but you should be fine because the modem knows how to get to the 192.168.1.x subnet on the inside of it's network.

To have the pix assign you an address, you can do:

dhcpd dns 4.2.2.1

That should allow you to get on the internet should the ping to 4.2.2.1 work.

HTH,

John

patnliz123 Wed, 05/20/2009 - 08:22

Hi John,

Thanks for the advice and prompt reply. I'm not at the device at the moment but I'll try what you suggest later on.

I'm pretty sure the modem is doing NAT on its interface to the ISP.

My ISP has a comment on its website about DNS and says if I do need to manually assign DNS settings to use 211.104.215.9 and 211.104.215.65 (sample IP addresses) and that they may change from time to time.

Should I have these DNS addresses assigned by the PIX to my laptop, rather than 4.2.2.1 as you suggest?

Thanks again,

Pat

patnliz123 Wed, 05/20/2009 - 14:31

Hi John,

That worked fine. Thanks a lot for your help.

I pinged 4.2.2.1 successfully with the original config I posted. I then made the changes you suggested but had to leave the nat and global statements in the config for it to work.

global (outside) 1 interface

nat (inside) 1 0 0

This is the first step on a bit of a journey for me to try and string some Cisco network kit together. I have a 2651XM router with a WIC-1ADSL card in as well which I want to eventually replace the modem with, and a switch to put behind the PIX, so there's lots of fun and games to be had yet. I believe the WIC-1ADSL will work but I need to read a little around it first before I come back here to ask some questions.

This has been a giant leap forward for me however. Thanks again.

(I still can't ping the laptops IP address from the laptop???)

Pat

bmcginn Wed, 05/20/2009 - 14:42

Hi All,

As an alternative, you could always bridge the modem and use the pix to authenticate onto the ISP network. The following commands input a username and determine the dialout and authentication methods.

vpdn group pppoe_group request dialout pppoe

vpdn group pppoe_group localname [email protected]

vpdn group pppoe_group ppp authentication chap

vpdn username [email protected] password user_password

The username and password are the ISP authentication details. They'll be provided by the ISP, or located in the modem router thing.

You would also have to tell the pix to get it's outside IP address via pppoe, and to set the default route at the same time.

ip address outside pppoe setroute

Using this configuration, you would have to make the pix the DHCP server for your workstations. In doing that you have to ensure there is a valid DNS server or two handed out to the clients.

You would also have to have a nat in place.

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

This method would effectively turn the pix into the router for your site. Personally I think it is simpler for the following reasons:

1. Only one NAT

2. All administration can be done on the pix itself

3. If it breaks, only one place to troubleshoot

4. If you ever decide to make the pix a vpn end point, then there's no messy port forwards you need to put in place on the modem/router thing; as the pix is directly on the internet

Bear in mind though, if you do bridge the modem and put in this solution, the only way you will be able to access the modem would be its console port (assuming it has one). Layer 3 connections won't work (eg http, telnet etc). In effect, this solution basically turns the modem into a transmission converter.

Anyway, whichever way you go about it, good luck!

Brad

patnliz123 Thu, 05/21/2009 - 03:42

Hi Brad,

Thanks for taking the time to reply to this and for your suggestion, particularly around a VPN.

My ISP has said that PPPoE clients are not supported by them, though one of my colleagues has said that his ISP, both UK ISP's by the way, said the same thing, that it supports PPPoA and not PPPoE , but when he tried it as PPPoE, it worked. The modem certainly can be configured for PPPoE (RFC 2516 PPPoE) and its worth a try with the modem first to see if it works.

The modem also supports a couple of forms of bridging, 'Bridged Mode Only' and 'RFC 1483 Bridged' but it looks like there may have been issues with using them in the UK. My ISP may also have a view about this. Again both are worth a try and I'm not bothered about losing access to the modem (it has no console port) because I believe it can be recovered to factory defaults if it doesn't work.

I have no DNS server on my inside network at the moment but I'm sure there's a free one I can download and install.

Eventually, its possible the PIX could be a VPN endpoint and I take your suggestion about the simplicity of managing the connection using the PIX as a router, though I have an edge router with a VPN module and WIC card installed which means, I believe, that I can eventually dispense with the modem altogether. The PIX I expect to be in the network still, in this scenario, but behind the edge router, which will have a static route to it. Achieving this is well beyond the scope of my knowledge currently so excuse me if I'm full of fluffy idea's that are not articulated very well. I have a lot to learn about this and really appreciate any help and suggestions.

Thanks again

Pat

bmcginn Thu, 05/21/2009 - 13:42

Pat,

No worries at all, glad to see you're getting into it!

Brad

Actions

This Discussion