Solved: Re: PIX501 and UK ADSL Modem

alan.morris · ‎09-05-2003

Is it possible to interface a PIX 501 directly to a UK ADSL modem? If so is there a configuration example available. Is there a PIX software release pre-req?

jmia · ‎09-06-2003

Hi Alan,

What you are trying to achive can be done, If you have a IP assigned by your ISP for the ADSL Modem interface (thats if your ADSL modem can be assigned a IP address, if not then router solution is the way to go) then what you need to do is configure the PIX with PAT (Port Address Translation), This way all your inside addresses will translate to 1 public IP address (ISP ADSL Modem IP address). I presume your setup would be something like this:

LAN--PIX501--ADSL(MODEM)--ISP

Here's a example – In this example the PIX is directly attached to the ISP, and the ISP has assigned a single public IP address to the PIX, which MUST be used on the outside interface.

The following is the configuration that will allow the PIX to use the single IP address on its outside interface while also using the address to perform PAT for the devices on the inside network.

LAN(192.168.3.0/24)—INSIDE_ROUTER(192.168.2.2/24)—PIX(inside_e1 192.168.2.1/24)—PIX(outside_e0 199.199.199.2/30)---INTERNET

pix(config)# ip address outside 199.199.199.2 255.255.255.252

pix(config)# ip address inside 192.168.2.1 255.255.255.0

!

pix(config)# route outside 0.0.0.0 0.0.0.0 199.199.199.1 1

pix(config)# route inside 192.168.3.0 255.255.255.0 192.168.2.2 1

!

pix(config)# global (outside) 1 interface

pix(config)# nat (inside) 1 0 0

On the above, the nat command specifies that all internal addresses use the address pool configured in the global command for pool 1. The corresponding global command, however, doesn’t specify a pool of addresses, but refers to the outside interface. One advantage of this process is that if the ISP is not statically assigning you the public address, but is using DHCP to assign you the address, you don’t need to worry about what address is eventually assigned on the outside interface because the interface parameter causes the PIX to use the currently assigned address, whether it’s statically assigned or dynamically assigned.

Also, when you make any changes (like the above) please remember to do command 'clear xlate' and also command 'write memory'.

You may find the following URL helpful:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/bafwcfg.htm#37288

Hope this helps with your situation, let me know how you get on.

Thanks - Jay

View solution in original post

jmia · ‎09-05-2003

Alan,

Answer to your question is yes you can configure a PIX 501 with ADSL Modem. Which PIX IOS have you got on the PIX, do command 'show ver'

Let me know - Thanks,

Jay

jmia · ‎09-05-2003

Alan,

Here's a PIX 501 running IOS 6.2(2) Config example from my lab, this 501 has a 50 user licence and PDM etc. With a ADSL router connected to ISP, i.e. LAN_ROUTER - PIX(501) - ADSL - ISP

Hope this helps -

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ******** encrypted

passwd ******** encrypted

hostname pixfirewall

domain-name mydomain.co.uk

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name 10.x.x.x test_lab

name 132.x.x.x mydomain.co.uk

name 10.x.x.x TestPC

access-list inside_access_in permit ip host 10.x.x.x host mydomain.co.uk

access-list inside_access_in deny ip host 10.x.x.x any

access-list inside_access_in permit ip any any

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 10.x.x.x 255.255.255.0

ip address inside 10.x.x.x 255.255.255.0

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

pdm location 10.x.x.x 255.255.255.0 inside

pdm location 10.x.x.x 255.255.255.255 inside

pdm location 192.x.x.x 255.255.255.0 inside

pdm location test_lab 255.255.255.255 inside

pdm location mydomain.co.uk 255.255.255.255 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 10.x.x.x 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication telnet console LOCAL

http server enable

http 192.x.x.x 255.255.255.0 inside

http 10.x.x.x 255.255.255.255 inside

http test_lab 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 10.x.x.x 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

username admin password ******** encrypted privilege 15

terminal width 80

: end

Thanks - Jay

alan.morris · ‎09-06-2003

Many thanks your reply. PIX is running 6.2(2). I have it operating OK behind a DLINK ADSL router which is in turn connected to A DLINK ADSL modem. I would like to eliminate the ADSL router (directly connect the PIX to the ADSL modem) but I cannot seem to get that configuration to work.

I am dynamically assigned an IP address.

I understand that (in the UK) the ADSL router uses PPPoA to negotiate the IP Address and in my version of PIX IOS this does not seem to be supported (only static, DHCP and PPoE).

I may be completely off beam here being a newbie to this ADSL business! So any further responses greatly appreciated.

jmia · ‎09-06-2003

Hi Alan,

What you are trying to achive can be done, If you have a IP assigned by your ISP for the ADSL Modem interface (thats if your ADSL modem can be assigned a IP address, if not then router solution is the way to go) then what you need to do is configure the PIX with PAT (Port Address Translation), This way all your inside addresses will translate to 1 public IP address (ISP ADSL Modem IP address). I presume your setup would be something like this:

LAN--PIX501--ADSL(MODEM)--ISP

Here's a example – In this example the PIX is directly attached to the ISP, and the ISP has assigned a single public IP address to the PIX, which MUST be used on the outside interface.

The following is the configuration that will allow the PIX to use the single IP address on its outside interface while also using the address to perform PAT for the devices on the inside network.

LAN(192.168.3.0/24)—INSIDE_ROUTER(192.168.2.2/24)—PIX(inside_e1 192.168.2.1/24)—PIX(outside_e0 199.199.199.2/30)---INTERNET

pix(config)# ip address outside 199.199.199.2 255.255.255.252

pix(config)# ip address inside 192.168.2.1 255.255.255.0

!

pix(config)# route outside 0.0.0.0 0.0.0.0 199.199.199.1 1

pix(config)# route inside 192.168.3.0 255.255.255.0 192.168.2.2 1

!

pix(config)# global (outside) 1 interface

pix(config)# nat (inside) 1 0 0

On the above, the nat command specifies that all internal addresses use the address pool configured in the global command for pool 1. The corresponding global command, however, doesn’t specify a pool of addresses, but refers to the outside interface. One advantage of this process is that if the ISP is not statically assigning you the public address, but is using DHCP to assign you the address, you don’t need to worry about what address is eventually assigned on the outside interface because the interface parameter causes the PIX to use the currently assigned address, whether it’s statically assigned or dynamically assigned.

Also, when you make any changes (like the above) please remember to do command 'clear xlate' and also command 'write memory'.

You may find the following URL helpful:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/bafwcfg.htm#37288

Hope this helps with your situation, let me know how you get on.

Thanks - Jay

alan.morris · ‎09-07-2003

Jay,

Thanks for this, in fact my modem cannot be assigned an IP address (indeed I do have a fixed IP address). So I assume that this is the problem. I also conclude that a pix/adsl modem configuration would not work in a non static IP address context and that an adsl router is always required in this situation.

Alan

maxgeezer · ‎09-05-2003

Do you have ADSL or cable?

If you are behind an ADSL router then I suspect you will be using a statically assigned address on the Outside interface - no problems.

I am still having problems using a PIX501 with a Motorola Surfboard and Telewest Blueyonder. I am now into the realms of quirks in the Telewest Blueyonder network but in two weeks of experiencing and reporting problems to Blueyonder Tech Support I haven't received anything back.

jmia · ‎09-05-2003

Hello Max.. again,

I beleive your problem is with blueyonder but without seeing your config on the 501, can't be 100% so let me have a look at your PIX config and also if you can (if any) config on the blueyounder router.

Pls remember to change 'real IPs' and passwords, if you don't want to post on the forum then send it to me direct at noc1@vodafone.net

Thanks - Jay