Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Configuring a Firewall as I am switching ISP's

Router is 2700 series going into a PIX 515R.

have taken the time to construct a PIX config that will allow me to switch over to the Choice One DSL service. My IP's issued are as follows:

216.153.239.1=gateway

216.153.239.31

216.153.239.32

216.153.239.33

216.153.239.80

216.153.239.83

216.153.239.198 =original assigned before additional IP addresses were added

DSL config is the newest version for DSL, of course.

Subnet is 255.255.255.0

FIRST ATTEMPT AT LOADING THE CONFIG:

I tried to give my config a shot this weekend and did not succeed. I thought I had everything ready to go, but there is a mistake somewhere in my configuration. I just went ahead and reverted back to the cable connection and we are back up and running. I changed the subnet mask on the DSL config for the IP outside route to 255.255.255.0 according to my DSL documentation, but that was not it. I may have everything mapped incorrectly, from old to new. I am not sure.

Old Config (working)Cable connection:

evansville-pix#

evansville-pix#

evansville-pix# config t

evansville-pix(config)#

evansville-pix(config)# interface ethernet0 auto

evansville-pix(config)# interface ethernet1 auto

evansville-pix(config)# ip address outside 63.92.152.18 255.255.255.248

evansville-pix(config)# ip address inside 172.22.2.253 255.255.255.0

evansville-pix(config)#

evansville-pix(config)#

evansville-pix(config)#

evansville-pix(config)#

<reboot>

evansville-pix# page line 0

evansville-pix# wr t

Building configuration...

: Saved

:

PIX Version 5.0(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xcom

passwd

hostname evansville-pix

fixup protocol ftp 21

fixup protocol smtp 25

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol sqlnet 1521

no fixup protocol http 80

names

no pager

no logging timestamp

no logging standby

no logging console

no logging monitor

logging buffered debugging

no logging trap

logging facility 20

logging queue 512

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 63.92.152.18 255.255.255.248

ip address inside 172.22.2.253 255.255.255.0

no failover

failover timeout 0:00:00

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover link outside

arp timeout 14400

global (outside) 1 63.92.152.19

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 63.92.152.20 172.22.1.2 netmask 255.255.255.255 0 0

static (inside,outside) 63.92.152.21 172.22.2.254 netmask 255.255.255.255 0 0

conduit permit icmp any any

conduit permit tcp host 63.92.152.20 eq smtp any

conduit permit tcp host 63.92.152.20 eq www any

conduit permit tcp host 63.92.152.20 eq pop3 any

conduit permit tcp host 63.92.152.21 eq telnet any

conduit permit udp host 63.92.152.21 eq ntp host 128.252.135.4

no rip outside passive

no rip outside default

no rip inside passive

no rip inside default

route outside 0.0.0.0 0.0.0.0 63.92.152.17 1

route inside 0.0.0.0 0.0.0.0 172.22.2.254 1

timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00

timeout rpc 0:10:00 h323 0:05:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

telnet 172.22.1.0 255.255.255.0 inside

telnet 172.22.2.0 255.255.255.0 inside

telnet timeout 5

terminal width 80

Cryptochecksum:190bee5bb4c19496fcfee2a412cc039a

: end

[OK]

New Config (not working) DSL

evansville-pix#

evansville-pix#

evansville-pix# config t

evansville-pix(config)#

evansville-pix(config)# interface ethernet0 auto

evansville-pix(config)# interface ethernet1 auto

evansville-pix(config)# ip address outside 216.153.239.31 255.255.255.248

evansville-pix(config)# ip address inside 172.22.2.253 255.255.255.0

evansville-pix(config)#

evansville-pix(config)#

evansville-pix(config)#

evansville-pix(config)#

<reboot>

evansville-pix# page line 0

evansville-pix# wr t

Building configuration...

: Saved

:

PIX Version 5.0(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xcom

passwd

hostname evansville-pix

fixup protocol ftp 21

fixup protocol smtp 25

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol sqlnet 1521

no fixup protocol http 80

names

no pager

no logging timestamp

no logging standby

no logging console

no logging monitor

logging buffered debugging

no logging trap

logging facility 20

logging queue 512

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 216.153.239.31 255.255.255.248

ip address inside 172.22.2.253 255.255.255.0

no failover

failover timeout 0:00:00

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover link outside

arp timeout 14400

global (outside) 1 216.153.239.32

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 216.153.239.80 172.22.1.2 netmask 255.255.255.255 0 0

static (inside,outside) 216.153.239.83 172.22.2.254 netmask 255.255.255.255 0 0

conduit permit icmp any any

conduit permit tcp host 216.153.239.80 eq smtp any

conduit permit tcp host 216.153.239.80 eq www any

conduit permit tcp host 216.153.239.80 eq pop3 any

conduit permit tcp host 216.153.239.83 eq telnet any

conduit permit udp host 216.153.239.83 eq ntp host 128.252.135.4

no rip outside passive

no rip outside default

no rip inside passive

no rip inside default

route outside 0.0.0.0 0.0.0.0 216.153.239.1 1

route inside 0.0.0.0 0.0.0.0 172.22.2.254 1

timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00

timeout rpc 0:10:00 h323 0:05:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

telnet 172.22.1.0 255.255.255.0 inside

telnet 172.22.2.0 255.255.255.0 inside

telnet timeout 5

terminal width 80

Cryptochecksum:190bee5bb4c19496fcfee2a412cc039a

: end

[OK]

1 REPLY
Community Member

Re: Configuring a Firewall as I am switching ISP's

Jason,

I haven't done a indept analysis of your configuration, but I noticed that your mask for 216.153.239.31 was set to 29 bits instead of 24 bits. This causes the PIX not to perform proxy ARP for your static translations. Modify your mask and try it again. Let me know if this solved your problem.

Succes.

285
Views
0
Helpful
1
Replies
CreatePlease to create content