Help Configuring a DSL conection via Pix Firewall e515

Unanswered Question
Jul 3rd, 2010

Can someone guide me on this i'm fairly new on this. i need to configure a Cisco Pix Firewall e515 to connect out to the internet via DSL. Basic Nat and DHCP, basic routing. here is my configuration. Please help me understanding how to configure this properly.


PIX Version 8.0(2)
!
hostname voyze
domain-name voyze.com
enable  password mW6ETJKBd.1a9jjj encrypted
names
!
interface  Ethernet0
nameif AT&T
security-level 0
ip address  74.164.6.10 255.255.255.248
ospf cost 10
!
interface  Ethernet1
nameif inside
security-level 100
ip address  192.168.1.1 255.255.255.0
ospf cost 10
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd  2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group  DefaultDNS
domain-name voyze.com
same-security-traffic permit  inter-interface
same-security-traffic permit intra-interface
object-group  service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq  https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group service  DM_INLINE_SERVICE_2
service-object tcp eq ftp
service-object  udp eq tftp
object-group service DM_INLINE_SERVICE_1
service-object tcp eq ftp
service-object udp eq tftp
access-list  inside_access_in extended permit tcp any 68.164.6.8 255.255.255.248  object-group DM_INLINE_TCP_1
access-list AT&T_access_in  extended permit tcp any any object-group DM_INLINE_TCP_3
access-list  AT&T_access_in extended permit object-group DM_INLINE_SERVICE_1  any any
access-list inside_access_in_1 extended permit tcp any any  object-group DM_INLINE_TCP_2
access-list inside_access_in_1 extended  permit object-group DM_INLINE_SERVICE_2 any any
access-list  inside_nat0_outbound extended permit ip 74.164.6.8 255.255.255.248 any
pager  lines 24
logging enable
logging asdm informational
mtu  AT&T 1500
mtu inside 1500
icmp unreachable rate-limit 1  burst-size 1
asdm image flash:/asdm-602.bin
no asdm history enable
arp  timeout 14400
global (AT&T) 101 192.168.1.1-192.168.1.200  netmask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat  (inside) 101 74.164.6.8 255.255.255.248
access-group  AT&T_access_in in interface AT&T per-user-override
access-group  inside_access_in_1 in interface inside per-user-override
route  AT&T 0.0.0.0 0.0.0.0 74.164.6.9 1
timeout xlate 3:00:00
timeout  conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout  sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout  sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout  uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http  server enable
http 192.168.1.0 255.255.255.0 inside
no  snmp-server location
no snmp-server contact
snmp-server enable  traps snmp authentication linkup linkdown coldstart
no crypto isakmp  nat-traversal
client-update enable
telnet timeout 5
ssh timeout  5
console timeout 0
dhcpd address 192.168.1.100-192.168.1.200  inside
dhcpd dns 68.94.157.1 interface inside
dhcpd enable inside
!
threat-detection  basic-threat
threat-detection statistics port
threat-detection  statistics protocol
threat-detection statistics access-list
!
class-map  inspection_default
match default-inspection-traffic
!
!
policy-map  type inspect dns preset_dns_map
parameters
  message-length  maximum 512
policy-map global_policy
class inspection_default
   inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
   inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect  esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
   inspect xdmcp
  inspect sip 
  inspect netbios
  inspect  tftp
!
service-policy global_policy global
prompt hostname  context
Cryptochecksum:51ef296083714caa6c753b0867bcf405
: end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Marcin Latosiewicz Sat, 07/03/2010 - 11:23

Alex,


Here's the configuration guide:

https://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/conf_gd.html


It's for ASA but most configuration is same for PIX 8.0


Note that PIXes and ASAs have only Ethernet (RJ-45 or SFP) connectors. Typically your DSL SP will provide you a RJ-11. You can however do PPPoE on ASA/PIX.


Let me know what you want to do exactly so I may be a bit more specific. Most of the stuff is there in the config guide.


Marcin

mambito20 Sat, 07/03/2010 - 12:15

Thanks for replying..


This is what i need the pix to do.

1. configure the pix so that it will connect to the internet

2. AT&T is my Dsl Provider.

3. the pix is configured. but is not going out to the internet.


Please Take a look at my config and tell me whats missing. this should be straight forward connection. but is not working.


Thanks.

Marcin Latosiewicz Sat, 07/03/2010 - 14:40

Alex,


Are you able to ping anything on the internet from PIX?

(Note: you might need to add "icmp perm any outside" to config)



Note that your NAT seems screwed up. I'll add an edit soon with suggestions.


edit:

no access-list  inside_nat0_outbound extended permit ip 74.164.6.8 255.255.255.248 any
no global (AT&T) 101 192.168.1.1-192.168.1.200  netmask 255.255.255.0
no nat (inside) 0 access-list inside_nat0_outbound
no nat  (inside) 101 74.164.6.8 255.255.255.248

nat (inside) 1 0 0

global(AT&T) 1 interface


This should make sure that all traffic from inside is being PATed to outside interface's IP address.


edit 2:

If you want to test ICMP from inside to internet add "fixup proto icmp"

mambito20 Wed, 07/07/2010 - 13:23

im still runinng into problems. below is my config can you tell me what to change to connect to the Internet?



: Saved
: Written by enable_15 at 21:13:54.534 UTC Wed Jul 7 2010
!
PIX  Version 8.0(2)
!
hostname pixfirewall
enable password  mW6ETJKBd.1a9jjj encrypted
names
!
interface Ethernet0
nameif  Outside
  security-level 0
ip address 74.164.6.10 255.255.255.248
!
interface  Ethernet1
nameif inside
security-level 100
ip address  192.168.1.1 255.255.255.0
!
interface Ethernet2
shutdown
no  nameif
  no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU  encrypted
ftp mode passive
access-list inside_access_in extended  permit tcp any any eq www
pager lines 24
logging asdm  informational
mtu inside 1500
mtu Outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm  image flash:/asdm-602.bin
no asdm history enable
arp timeout 14400
access-group  inside_access_in in interface inside
route inside 0.0.0.0  255.255.255.0 74.164.6.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp  0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00  mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00  sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record  DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0  inside
no snmp-server location
no snmp-server contact
snmp-server  enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
client-update enable
telnet timeout  5
ssh timeout 5
console timeout 0
dhcpd address  192.168.1.2-192.168.1.254 inside
dhcpd enable inside
!
threat-detection  basic-threat
threat-detection statistics access-list
!
class-map  inspection_default
match default-inspection-traffic
!
!
policy-map  type inspect dns preset_dns_map
parameters
  message-length  maximum 512
policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect  ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
   inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect  skinny 
   inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect  netbios
  inspect tftp
!
service-policy global_policy global
tftp-server  inside 192.168.1.22 /cisco
prompt hostname context
Cryptochecksum:

44e94eadfa2d05328020ce6ec29eb580
Marcin Latosiewicz Wed, 07/07/2010 - 13:32

Alex,


I would definetly change that route:

route inside 0.0.0.0  255.255.255.0 74.164.6.9 1

to

route inside 0.0.0.0  0.0.0.0 74.164.6.9 1


Secondly:

access-list inside_access_in extended  permit tcp any any eq www

You should at least also allow DNS! For your users to be able to browse internet!

But honestly do not apply inbound accless-list on inside interface unless you don't need it.


I don't see any NAT configuration .. so your inside users will not be NATed when going out to the internet.


nat (inside) 100 0 0

global (outside) 100 interface


That should take care of NAT.


Once you apply those changes please apply my sugestions from posts below (pinging fromPIX itself to test connectivity to internet etc)


Marcin

mambito20 Thu, 07/08/2010 - 10:41

Hello Marcin,

I'm still working it out. this time i added ppoe . can you please assist. or do you think you can help me offline with this?

Please from the kindness of your heart.


this is the config i have by adding ppoe. what do you think?

Also keep in mind i am using ASDM to configure the box. thanks



Result of the command: "show running-config"


: Saved
:
PIX Version 8.0(2)
!
hostname pixfirewall
enable password mW6ETJKBd.1a9jjj encrypted
names
!
interface Ethernet0
nameif Outside
security-level 0
pppoe client vpdn group AT&T
ip address pppoe
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup Outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 68.94.156.1
name-server 68.94.157.1
access-list inside_access_in extended permit tcp any any eq www
pager lines 24
logging asdm informational
mtu Outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route inside 0.0.0.0 0.0.0.0 74.164.6.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group AT&T request dialout pppoe
vpdn group AT&T localname [email protected]
vpdn group AT&T ppp authentication pap
vpdn username [email protected] password *********
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
!
service-policy global_policy global
tftp-server inside 192.168.1.22 /cisco
prompt hostname context
Cryptochecksum:ccc2eb63ab1f84b377509e0e80768326
: end
Marcin Latosiewicz Thu, 07/08/2010 - 15:39

Alex,


Considering that we're in different timezones it might be a problem - I'm usually checing forums late at night :-)


Few notes, provided that your pppoe is working I would do this:

-------

interface Ethernet0

ip address pppoe setroute
-----

Now with this in place ASA should put a default route based on what we negotiate via pppoe.
So you might as well remove old route:
-----
no route inside 0.0.0.0 0.0.0.0 74.164.6.9 1
------

On old bug quite good guide:
http://cisco.biz/en/US/products/ps6120/products_configuration_example09186a0080ab7ce9.shtml
(Both CLI and ASDM)

Marcin

Actions

This Discussion

Related Content