PIX_506 FIREWALL

Answered Question
Jan 4th, 2010

Dear Sir,

I am  Ms Lim From Fung Keong Rubber Mfy (M) S/B, Klang, Selangor, Malaysia . I have a unit of firewall (pix506). And i m using dynamic ip (PPPoE) for outside Ip.  All this whiles, (for last 4 years) it's run OK. But somewhere in begining of dec2009. The firewall cannot connet to internet. So What I have to do i have to by pass cisco firewall. And I did ask my supplier (i.e. Alphamatic) the engineers says that it may be because of Telekom change the setting. that's why this firewall cannot use for dynamic ip address already . (Means I have to apply for fixed IP line from Telekom Malysia) which is quite costly.

my question is :

1. Is it thru this firewall cannot be used for dynamic ip already?

2. If can, how to configure  the setting?

I Hope Cisco personnel will assist me on this issue.

Your  helpfulness i m highly appreciated.

Hope to hear ffrom you soon

Thank You

I have this problem too.
0 votes
Correct Answer by vilaxmi about 6 years 10 months ago

Hello,

Along with getting an IP address dynamically your ISP must be providing your PIX with a default route to go to inetrnet, as long as your outside interface of pix is properly confgiured to obtain a default route.

Please configure outside ifc with keyword "setroute" :

ip address x.x.x.x pppoe setroute

Now you can check on PIX if it is getting a route or not by doing show route statement.

Also, we need to check several things like, is how are your PIX going to internet (using a router or modem) ? Is the modem in bridged or routed mode ? Is the router doing any kind of NAT ?

Also as a good troubleshooting step you can disconnect the firewall (at off hours) and try to connect a PC to outside MODEM , and check if that gets an IP address. If it doesnot then their is something wrong with your ISP.

HTH

Vijaya

Correct Answer by Kureli Sankar about 6 years 10 months ago

Can't you take the IP address that the PIX506 had prior to breaking and use the same IP address and configure it manually?

You can also enable PPPoE by manually entering the IP address, using the ip address if_name ip_address netmask pppoe command. This command sets the PIX Firewall to use the specified address instead of negotiating with the PPPoE server to assign an address.

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/gl.html#wp1026920

-KS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Kureli Sankar Mon, 01/04/2010 - 17:17

Can't you take the IP address that the PIX506 had prior to breaking and use the same IP address and configure it manually?

You can also enable PPPoE by manually entering the IP address, using the ip address if_name ip_address netmask pppoe command. This command sets the PIX Firewall to use the specified address instead of negotiating with the PPPoE server to assign an address.

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/gl.html#wp1026920

-KS

laykian88 Thu, 01/07/2010 - 19:43

Dear Kusankar,

   my setting already included nameif command. which shows as below: Could you please go thru to check whether the setting needs some modification inorder to enable PPPoe (dynamic ip address) for outside bound

PIX Version6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 insite security100
access-list acl_outside permit tcp any interface outside eq 3389
access-list acl_outside permit tcp any interface outside eq 491
access-list acl_in permit tcp host 192.168.1.100 any eq www
access-list acl_in permit tcp host 192.168.1.100 any eq https
access-list acl_in deny tcp any any eq www
access-list acl_in deny tcp any any eq https
access-list acl_in permit ip any any
access-list FKRVPN_splitTunnelAcl permit ip any any
access-list inside_outbound_nat0_acl permit ip any 192.168.2.0 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.192
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL 192.168.2.1-192.168.2.50
pdm location 192.168.1.100 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.100 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 491 192.168.1.100 491 netmask 255.255.255.255 0 0
access-group acl_outside in interface outside
access-group acl_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup FKRVPN address-pool VPNPOOL
vpngroup FKRVPN split-tunnel FKRVPN_splitTunnelAcl
vpngroup FKRVPN idle-time 1800
vpngroup FKRVPN password ********
telnet 192.168.1.100 255.255.255.255 inside
telnet timeout 5
ssh timeout 5

Correct Answer
vilaxmi Sat, 01/09/2010 - 12:58

Hello,

Along with getting an IP address dynamically your ISP must be providing your PIX with a default route to go to inetrnet, as long as your outside interface of pix is properly confgiured to obtain a default route.

Please configure outside ifc with keyword "setroute" :

ip address x.x.x.x pppoe setroute

Now you can check on PIX if it is getting a route or not by doing show route statement.

Also, we need to check several things like, is how are your PIX going to internet (using a router or modem) ? Is the modem in bridged or routed mode ? Is the router doing any kind of NAT ?

Also as a good troubleshooting step you can disconnect the firewall (at off hours) and try to connect a PC to outside MODEM , and check if that gets an IP address. If it doesnot then their is something wrong with your ISP.

HTH

Vijaya

Actions

This Discussion