Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
393
Views
0
Helpful
4
Replies

No Internet connection pix501 behind nated dsl

ptr609
Level 1
Level 1

‎05-28-2003 05:48 AM - edited ‎03-09-2019 03:26 AM

I have a pix501 v6.2 and am trying to get an internet connection. The idea is to setup a (lan to lan) 501 to 3005 concenrator. I want to use ezvpn at the 501 but the problem is that I cannot get a internet connection if I actually get the dhcp ip address 192.168.1.2 from the 501. It's fighting with the dsl on dhcp. Somtimes on the client computer I get the address from the pix sometimes I get the address from the dsl (192.168.254.2). If I get the address from the dsl I get the internet but thats no good for vpn'ing. I'm assuming its a nat problem with the pix or an access list problem. The dsl is not static at the public address. Any pointers would be greatly appreciated! I'll be the first to admit I'm not very good at this! I have however established many client vpn connections to the 3005.

here is the pix config as it stands right now.

: Written by enable_15 at 03:49:46.677 UTC Tue May 27 2003

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx encrypted

passwd xxxx encrypted

hostname ourhostname

domain-name ourdomain.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd lease 36000

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

vpnclient vpngroup langroup password xxxxxxx

vpnclient username lanuser password xxxxxx

vpnclient server 63.160.211.3

vpnclient mode network-extension-mode

vpnclient enable

terminal width 80

Cryptochecksum:xxxx

: end

Labels:
0 Helpful
4 Replies 4

sampathsr
Level 1
Level 1

‎05-28-2003 08:11 AM

I have done this before for my previous company. I am not sure how you have connected the various devices. Here is what i did:

computers----->switch----->PIX 501---->DSL modem---->co-ax cable from ISP

1. This way the computers would get DHCP addresses only from the PIX.

2. The caveat is that since the public IP address assigned to the outside interface of the PIX could be changing every time you re-boot the DSL modem (for whatever reasons!), your peer on the other side might have to keep changing the peer IP address.

But for that it works great.

Best regards / Sampath

Srengarajan@att.com

0 Helpful

ptr609
Level 1
Level 1
In response to sampathsr

‎05-28-2003 08:24 AM

Thanks for the response but the issuse is really in getting to the internet from the pix while getting a address from the pix.

computers-pix501-dsl-internet

Right now I'm only trying to connect one computer, later there will be a switch.

cant get from the private to the public on the pix. I know the gateway of the dsl just not the public address.

0 Helpful

sampathsr
Level 1
Level 1
In response to ptr609

‎05-28-2003 10:11 AM

Hi:

Your configuration looks perfectly okay to me.

Please try the following:

1. Connect the PC to the DSL modem directly and browse to ensure that from that point everything is fine.

2. If the above works, reboot the modem and the PC after making all the required connections.

3. When it is booting up, (console in through the 'console' port ) when the command 'ip address outside dhcp setroute' is executing, look for any error.

4. Once it boots up without any error, do a 'show ip address' and ensure that the outside interface has a valid public IP address.

5. Ensure that the PC is able to get a dynamic address and you are able to ping the inside interface of the PIX.

My guess is the rebooting should do the trick!

Best regards / Sampath.

0 Helpful

ptr609
Level 1
Level 1
In response to sampathsr

‎05-28-2003 11:39 AM

I really thank you for your time on this! I have thought about this and now know why its not working or may never work. The dsl is sending the pix a private dhcp address and natting that to its public address. The pix is sending the client its dhcp address and the dsl is not natting that range. So the public address on the DSL is 170.216.16.215 sending a 192.168.254.2 to the pix the pix is sending a 192.168.1.2 to the client and that is not going to work. I think there is no way around this except to accept the fact that without changing the DSL nat this is not going to work. The dsl people say they cant change the nat Hey thanks alot for your help you are right on the money with looking at the outside interface address.

0 Helpful
Customers Also Viewed These Support Documents