Simple SOHO configuration problems

Unanswered Question
Dec 19th, 2005
User Badges:

I've just purchased a PIX 515 to use at home in order to learn about Cisco firewalls etc. I connect to the internet through a Cable modem that provides a dynamic IP address.


My setup being as follows:


Home Network -> Switch/Hub -> PIX 515 -> Cable Modem -> Internet


I've tried for the last few days to get the setup working but to no avail - I've read many documents and articles but can't seem to see what is wrong.


My configuration I have at present is:


asdm image flash:/asdm-501.bin

asdm location 84.x.x.x.255.255.255 outside

asdm location 84.x.x.x.255.255.255 outside

no asdm history enable

: Saved

:

PIX Version 7.0(1)

names

name 192.168.1.0 ctu

name 192.168.1.150 srv.bauer

!

interface Ethernet0

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

enable password xxxx

passwd xxxx

hostname pixfirewall

domain-name domain

ftp mode passive

dns retries 2

dns timeout 2

dns domain-lookup inside

dns name-server srv.bauer

access-list acl_out extended permit icmp any any

access-list inside_access_in remark Allow All Traffic Out

access-list inside_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

no failover

monitor-interface outside

monitor-interface inside

asdm image flash:/asdm-501.bin

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0

access-group acl_out in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http ctu 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

Cryptochecksum:xxxx

: end


Any help or guidance would be appreciated.


I've attached a log file from syslog - this was generated when I tried to connect to http://www.microsoft.com with the above configuration.


Thanks


Gary



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
johnd2310 Mon, 12/19/2005 - 19:58
User Badges:
  • Silver, 250 points or more

Hi Gary,


A few issues with your config.

1) Is the cable modem bridging traffic or is it doing NAT.

2) Is cable modem assigning ip addresses to pix outside interface (i.e. is it a dhcp server).

3) route statement "route outside 0.0.0.0 0.0.0.0 192.168.1.1 1" is not correct. it should be something like "route outside 0.0.0.0 0.0.0.0 ip-of-cable-modem".

4) you do not need access lists to allow inside traffic out. Pix by default allows traffic from high security interface to low security interface. These command are redundant:access-list inside_access_in remark Allow All Traffic Out, access-list inside_access_in extended permit ip any any, access-group inside_access_in in interface inside. They can be removed.



gary.boon Tue, 12/20/2005 - 00:21
User Badges:

Hi,


'm not sure how I determine 1 and 2, could you give some guidance. For point 3 if the ip-of-cable-modem is dynamic assigned by DHCP will I have to change this everytime the IP address is renewe?


Gary

johnd2310 Tue, 12/20/2005 - 00:38
User Badges:
  • Silver, 250 points or more

Hi Gary,


ip-of-cable-modem is the ip address of the inside interface of the cable modem.It should be static. If you plug your pc into the cable modem and run ipconfig you should see the ip address assigned to your pc and ip address of the cable modem.Use ip address of cable modem in the route outside statement

gary.boon Tue, 12/20/2005 - 01:49
User Badges:

Hi,


I did ipconfig/all and it did not seem to return an IP address for the cable modem. The IP address of the PC when to the automatic 169... IP address.


Gary

johnd2310 Tue, 12/20/2005 - 04:50
User Badges:
  • Silver, 250 points or more

Hi,

First get your pc connecting to the Internet via the cable modem. You will have to go through the cable modem documentation to do this.

gary.boon Tue, 12/20/2005 - 05:53
User Badges:

Hi,


I can connect to the cable modem through a browser on 192.168.100.1 under address it gives this IP as the Cable Modem USB IP Addres it also provides an HFC IP Address of 10.226.109.144.


Would I be correct in thinking 192.168.100.1 is the IP of the inside interface?


Gary

gary.boon Tue, 12/20/2005 - 05:56
User Badges:

John,


The information on the cable modem also says that Bridge Forwarding is enabled and the modem is acting as a DHCP server giving IPs in the range 192.168.100.11 through 192.168.100.42.


Thanks


Gary

johnd2310 Tue, 12/20/2005 - 12:05
User Badges:
  • Silver, 250 points or more

Hi Gary,


On the Pix remove the command "route outside 0.0.0.0 0.0.0.0 192.168.1.1"

add the command the command "route outside 0.0.0.0 0.0.0.0 192.168.100.1

Run the "show interface" command on the pix. Do you see an ip address on interface ethernet0?

gary.boon Wed, 12/21/2005 - 13:47
User Badges:

John,


Many thanks for all your help - I got the setup working. Had to reboot the cable modem in order for the pix to obtain the IP address but after it did everything worked straight away.


Thanks again


Gary

Actions

This Discussion