Solved: PIX 501 and dynamic IP

Sil3ncer1986 · ‎11-12-2010

Hey guys, I'm configuring a PIX 501 for my office. The firewall will be connected to my router. Anyway, my company has no static IPs. All our outgoing traffic are assigned IPs by our ISP. So, can someone take a look at my below config and see if it'll work? Thanks in advance. The default gateway is 192.168.3.254 and our internal hosts are assigned IP by our DHCP server at 192.168.3.200.

ip address outside 0.0.0.0 255.255.255.255
ip address inside 192.168.3.1 255.255.255.0

nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 192.168.3.254

I'm using IOS 6.1(4).

Magnus Mortensen · ‎11-12-2010

Hilmay, You cannot have the same subnet on both sides. You will have to change the ip of the router or the hosts. Set th e inside ip of the pix to be 3.254 and then change the router to be 192.168.4.254 and the outside of the pix to 192.168.4.1. Set thebdefault route of the pix to be the router. - magnus

Posted from my mobile device.

View solution in original post

Magnus Mortensen · ‎11-12-2010

Hilmy, You cannot hairpin traffic of 6.x pix. I'm not sure what your trying to do with the pix... Shouldn't the router be connected to the Outside interface? Do you have a topology diagram? -Magnus

Posted from my mobile device.

Sil3ncer1986 · ‎11-12-2010

Hi Magnus, yes, the router is connected to the firewall's outside interface (e0) and the firewall's inside interface (e1) is connected to the switch. I just changed the PIX outside interface to 192.168.3.253/24 and the inside interface to 0.0.0.0 255.255.255.255. My inside hosts are in the 192.168.3.0/24 network. Currently, I have no internet if I put in the firewall but if I connect the router directly to the switch, there is internet. I've attached a network diagram.

ip address outside 192.168.3.253 255.255.255.0
ip address inside 0.0.0.0 255.255.255.255

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.3.254

Magnus Mortensen · ‎11-12-2010

Hilmay, You cannot have the same subnet on both sides. You will have to change the ip of the router or the hosts. Set th e inside ip of the pix to be 3.254 and then change the router to be 192.168.4.254 and the outside of the pix to 192.168.4.1. Set thebdefault route of the pix to be the router. - magnus

Posted from my mobile device.

Kureli Sankar · ‎11-13-2010

Here is what Magnus is asking you to do. Since the inside dhcp and other hosts are already configured you should change the pix's outside interface ip and the router's ip address.

You should keep inside and outside on completely diff. subnet.

topology:

inside hosts--192.168.3.x---(192.168.3.253/inside)--PIX--(outside/192.168.4.253)---(192.168.4.254)router----internet

On the pix make the following changes:

ip address outside 192.168.4.253 255.255.255.0
ip address inside 192.168.3.253 255.255.255.0

route outside 0 0 192.168.4.254

On the router change the following under the interface section:

ip address 192.168.4.254 255.255.255.0

-KS

Sil3ncer1986 · ‎11-13-2010

Yeah, I understood what Magnus meant. Thanks Magnus and Sankar. Will do the neccessary changes once I'm in office on Monday coz I don't have the password for the router. It's not a Cisco router so I can't recover the password. If it was, I could have. I'll get the password from my boss on Monday. Once again, thanks guys!