I have recently tried to place a 501 at one of our remote offices and have an issue. The supplier is Sprint DSL and have a router thats acting as a modem bridge which allows external ip's to run through it and attach to devices past the DSL router.
Currently I have a 501 attached directly to the 645r series Sprint DSL router. The IP that Sprint has supplied to me is not picking up on the 501 though and I am confused why. I can assign that IP to a computer directly connected to the 645r, but the 501 doesnt seem to pick it up.
The only difference I can think of between a computer and the 501 is the lack of a specified gateway on the 501??
Here's my config: (obvious lines of no concern to the issue are eliminated)
PIX Version 6.2(2)
access-list inside_nat0_outbound permit ip 192.168.52.0 255.255.255.0 192.168.50
access-list inside_nat0_outbound permit ip 192.168.52.0 255.255.255.0 host x.x.71.7
access-list inside_nat0_outbound permit ip host x.x.81.11 192.168.50.0 255.255.255.0
access-list acl_outbound permit ip 192.168.52.0 255.255.255.0 any
access-list acl_inbound permit ip host x.x.71.7 any
ip address outside x.x.81.11 255.255.255.128 (the subnet supplied by Sprint)
ip address inside 192.168.52.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.52.0 255.255.255.0 0 0
access-group acl_inbound in interface outside
access-group acl_outbound in interface inside
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto map vpn1 9 ipsec-isakmp
crypto map vpn1 9 match address inside_nat0_outbound
crypto map vpn1 9 set pfs group2
crypto map vpn1 9 set peer x.x.71.7
crypto map vpn1 9 set transform-set myset
crypto map vpn1 interface outside
isakmp enable outside
isakmp key ******** address x.x.81.11 netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet 192.168.50.0 255.255.255.0 outside
telnet x.x.71.7 255.255.255.255 outside
telnet 192.168.52.0 255.255.255.0 inside
I am also planning on getting a vpn running between this and another PIX , hence the crypto and isakmp entries.
I cannot ping any external IP's (save x.x.81.11 itself which is just the interface itself) from within the firewall. My other two PIX's that are running are doing PPPOEX authentication for their connection, so this would be my first static IP entry for an outside interface. How does the firewall know where its gateway is? Could that potentially be the problem?
Any ideas on why the 501 here wont pick up the connection to the router would be appreciated, thanks.
Thanks for your help in advance.
You add a default route with the command
route outside 0.0.0.0 0.0.0.0 x.x.x.x
where x.x.x.x would be the ip address of your dsl router.
Try adding 'permit icmp 192.168.52.0 255.255.255.0 any' to your acl_outbound access-list to cure the ping problem, and its a longshot but maybe reboot your dsl router incase it has a long timeout on its arp cache and still thinks that IP address is pertaining to the MAC address of the computer you tested the it with.
Another way would be to permit icmp any any on the acl_inbound access-list, and get someone to try and ping your external interface.
Hope that helps
route outside 0.0.0.0 0.0.0.0 x.x.x.x, it being the dsl routers IP, the problem there is the dsl router doesnt have an IP, its acting as a modem bridge so the IP can dump directly across to the outside interface. With that in mind, would I make that x.x.x.x number the gateway that Sprint supplied to me? being x.x.81.1, whereas the IP that Sprint is giving me to assign to my outside interface is x.x.81.11
The pinging is taken care of with icmp statements i left out of the config above, but the reason I cant ping so far is just because Im getting no communication across that outside interface due to the lack of route, so if assigning the gateway as the route should do it then I am assuming that should be all I need? (what stinks is that its a remote office so I have to drive a ways to go try this, ugh, hence why im just getting final confirmation here before doing so :) ha)
Thanks for your input,
Ah I see, so it's invisible, so to speak... Yep, use the default gateway address you got from Sprint. Hope that does the trick!
Also I was just thinking that your isakmp key statement contains your outside interface ip address - should it be the address as in the 'set peer' crypto statement?
good point on the isakmp key, i didnt notice that.
Ok, original problem, that 501 now has a route statement pointing to the ISP's gateway over the outside interface.
route outside 0.0.0.0 0.0.0.0 x.x.81.1
I tried to ping outside from within the CLI and still get NO response received.
The setup is like this
DSL-router(setup as a dumb bridge to allow static IP's to go across)
PIX 501e (ip address outside set to the IP designated by the ISP)
The config is now as shown:
ip address outside x.x.81.11
route outside 0.0.0.0 0.0.0.0 x.x.81.1
(i also removed that isakmp key line just in case it was causing any problems)
So that's where i'm at, confused as to what Im doing wrong to cause a simple static IP assignment to not pick up on the outside interface.
Thanks for your help in advance,
Bizarre. I assume if you do a show int that e0 is up and up? I know that you proved that the IP address is fine by connecting a pc to the DSL whilst configured with the 81.11 address, but did you try connecting e0 directly to the laptop configured with (for instance) the 81.1 address (i.e. the gateway) to prove that e0 isn't busted?
No, thats the problem, e0 is up and down,
I have not tried to attach anything else to e0 other than the DSL router. I would be surprised if the e0 was busted, it is a brand new 501e. Regardless, I will have to take a trip to go try that, the person on site there would be unable to attempt that sort of a test (they dont have administrative passwords to change the computer's IP)
Is there anything else that would keep the line protocol down other than physical means, with the existing config?
Thanks again for your time,
Is the sh int showing any input errors or anything?
I think if your line protocol is down you need to be checking the physical attributes - if your directly connecting to the router check your patch lead is ok, check that you don't need a x-over cable rather that a normal patch lead, check speed and duplex match on both ends or maybe introduce a mini hub between the pix and router, try patching e0 into a pc, etc. etc. depending on your setup. I can't think of any reason why your config would snooker you from what you have posted, but it's always worth 10 mins going back to a fresh start and just configure the basics - ips, global, nat and default route, and then open up the interfaces - if from there it won't even ping a pc connected to e0 it could be a hardware fault.
Ok, I tried the PC acting as the gateway, and from the CLI I was able to ping through the outside interface to the PC's IP which I had set as x.x.81.1
So that means the e0 is physically working.
Now something you said peeked my interest. Connection speed. The PC when connected to the Sprint DSL router connects at 100, but the 501e of course can only connect at 10 over the e0. I would have assumed it would autodetect ok, but since we cant assume anything now.....
The only other thing I havent done is reset it to defaults and start over. I know theres a command to do that, but am not sure what it is. Do you know?
Thanks again for your help and your patience.
This problem has definitely got me mentally over a barrel.
the Cross-over cable did the trick, I wasnt able to get one out there till earlier today, and even though some of my config isnt the way I need it, I can at least see line protocol up and ping from the CLI to the internet. Im surprised that I did not need one for my last 501 setup, but it was authenticating via pppoe, so maybe theres a difference I'm not understanding here.
Thanks for your suggestions Kevin, they were helpful.