Re: Trying to install PIX 515 between my iternet router and my n

stevephamilton · ‎02-04-2003

I am trying to install a pix 515 firewall between my dsl router (used for internet access only) and my network. My network has a public address as you can see. Sprint told me to assign 192.168.1.1 to the 642R router and 192.168.1.2 to the outside of the pix.

With the router configured with one of my public ip adresses and assign that address as the gateway to the workstations (without the pix installed) I can access the internet. When I install the pix and configure as follows, I cannot access the internet from any of my workstations. Could someone please take a look at the following PIX 515 config and the ZyXel-Prestige 642R (sprint) router config and tell me what I am doing wrong.

Thanks, Steve.

gateway on the workstations =128.23.176.142

My ZyXel-Prestige 642R router config is:

Route IP=yes

Bridge=no

DHCP Setup=none

TCP\IP setup

ip address=192.168.1.1

subnet mask=255.255.255.0

rip direction=none

multicast=none

IP policies= (blank)

edit ip policies=no

Bridge Setup

handle IPX=none

Internet Access Setup

ISP's name=ELAN

Encapsulation=PPPoE

Multiplexing=LLC-based

VPI # = 8

VCI # = 35

Single user account= yes

IP address asignment=dynamic

ip address= n\a

ENET ENCAP Gateway= n\a

My configuration for the pix 515 is:

nameif eO outside security0

nameif e1 inside security100

interface e0 auto

interface e1 auto

ip address outside 192.168.1.2 255.255.255.0

ip address inside 128.23.176.142 255.255.255.0

hostname Internetfirewall

arp timeout 14400

no failover

names

pager lines 24

logging buffered debugging

nat (inside) 1 128.23.176.0 255.255.255.0

global 1 192.168.1.3

rip inside default

no rip inside passive

no rip outside default

no rip outside passive

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00

timeout rpc 0:10:00 h323 0:05:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server community public

mtu outside 1500

mtu inside 1500

wolfrikk · ‎02-04-2003

It looks okay for internet access. Did you restart the sprint router when you added the PIX? I have run into an issue in the past when adding a PIX with an ISP Router that was already running. I had to reboot the IPS Router, then the PIX started working. I don't know why it did it, because I have added PIX's before without rebooting the other Router and have them work. I have notice I always have to Reboot the COX Routers when I add a PIX.

stevephamilton · ‎02-04-2003

Hey thanks, but no luck. I tried rebooting after I read your reply but nothing. I get a dynamic ip from sprint, is that anyway contributing to this problem. I can't believe this is this difficult. What about bridging the router and useing PPPoE to send username and password out to bet assigned. Does thismake sense foe pix ver 6.1 (4)?

Any help?

pdentico · ‎02-05-2003

I would guess that the DSL router is not setup for NAT. In that case you have 2 options.

1-Setup the pix to do your NAT and use the public addressing on the outside of the pix.

2-Setup the pix to not do NAT by using the "nat 0 128.23.176.0" command. But then you have to tell the DSL router how to route to that network. You might have to enable rip on the Zyxel router for inside and set up rip on the outside for the Pix.

Personally I would go with option 1. Unless you have a reason for public addressing on your internal network.

gordons · ‎02-06-2003

Can you ping internet hosts from the DSL router?

We use an Efficient Networks Speedstream DSL router, and I had to turn ALL filtering off to get it to work properly.

We use a PIX 520 behind it for all internal user traffic to route through.

Once I could ping from the router, and from the PIX behind the router, all I did was set the default gateway of the users to the inside address of the PIX (with NAT running), and everything works happily.

Trying to install PIX 515 between my iternet router and my network...Help!