12-19-2005 03:46 PM - edited 03-09-2019 01:24 PM
I've just purchased a PIX 515 to use at home in order to learn about Cisco firewalls etc. I connect to the internet through a Cable modem that provides a dynamic IP address.
My setup being as follows:
Home Network -> Switch/Hub -> PIX 515 -> Cable Modem -> Internet
I've tried for the last few days to get the setup working but to no avail - I've read many documents and articles but can't seem to see what is wrong.
My configuration I have at present is:
asdm image flash:/asdm-501.bin
asdm location 84.x.x.x.255.255.255 outside
asdm location 84.x.x.x.255.255.255 outside
no asdm history enable
: Saved
:
PIX Version 7.0(1)
names
name 192.168.1.0 ctu
name 192.168.1.150 srv.bauer
!
interface Ethernet0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
enable password xxxx
passwd xxxx
hostname pixfirewall
domain-name domain
ftp mode passive
dns retries 2
dns timeout 2
dns domain-lookup inside
dns name-server srv.bauer
access-list acl_out extended permit icmp any any
access-list inside_access_in remark Allow All Traffic Out
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
monitor-interface outside
monitor-interface inside
asdm image flash:/asdm-501.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
access-group acl_out in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http ctu 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:xxxx
: end
Any help or guidance would be appreciated.
I've attached a log file from syslog - this was generated when I tried to connect to http://www.microsoft.com with the above configuration.
Thanks
Gary
12-19-2005 07:58 PM
Hi Gary,
A few issues with your config.
1) Is the cable modem bridging traffic or is it doing NAT.
2) Is cable modem assigning ip addresses to pix outside interface (i.e. is it a dhcp server).
3) route statement "route outside 0.0.0.0 0.0.0.0 192.168.1.1 1" is not correct. it should be something like "route outside 0.0.0.0 0.0.0.0 ip-of-cable-modem".
4) you do not need access lists to allow inside traffic out. Pix by default allows traffic from high security interface to low security interface. These command are redundant:access-list inside_access_in remark Allow All Traffic Out, access-list inside_access_in extended permit ip any any, access-group inside_access_in in interface inside. They can be removed.
12-20-2005 12:21 AM
Hi,
'm not sure how I determine 1 and 2, could you give some guidance. For point 3 if the ip-of-cable-modem is dynamic assigned by DHCP will I have to change this everytime the IP address is renewe?
Gary
12-20-2005 12:38 AM
Hi Gary,
ip-of-cable-modem is the ip address of the inside interface of the cable modem.It should be static. If you plug your pc into the cable modem and run ipconfig you should see the ip address assigned to your pc and ip address of the cable modem.Use ip address of cable modem in the route outside statement
12-20-2005 01:49 AM
Hi,
I did ipconfig/all and it did not seem to return an IP address for the cable modem. The IP address of the PC when to the automatic 169... IP address.
Gary
12-20-2005 04:50 AM
Hi,
First get your pc connecting to the Internet via the cable modem. You will have to go through the cable modem documentation to do this.
12-20-2005 05:53 AM
Hi,
I can connect to the cable modem through a browser on 192.168.100.1 under address it gives this IP as the Cable Modem USB IP Addres it also provides an HFC IP Address of 10.226.109.144.
Would I be correct in thinking 192.168.100.1 is the IP of the inside interface?
Gary
12-20-2005 05:56 AM
John,
The information on the cable modem also says that Bridge Forwarding is enabled and the modem is acting as a DHCP server giving IPs in the range 192.168.100.11 through 192.168.100.42.
Thanks
Gary
12-20-2005 12:05 PM
Hi Gary,
On the Pix remove the command "route outside 0.0.0.0 0.0.0.0 192.168.1.1"
add the command the command "route outside 0.0.0.0 0.0.0.0 192.168.100.1
Run the "show interface" command on the pix. Do you see an ip address on interface ethernet0?
12-21-2005 01:47 PM
John,
Many thanks for all your help - I got the setup working. Had to reboot the cable modem in order for the pix to obtain the IP address but after it did everything worked straight away.
Thanks again
Gary
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: