cisco PIX 506e

[newkid123]

Hello Everyone

I have a small network at home, which consists of a linksys cable modem, linksys wireless router and 2 desktop connected directly to the wireless router and 2 other desktop which are conneected through wireless router. Now I like to add a Cisco PIX 506e firewall to my network, I am very new with cisco network, I appreciate if someone can let me know how to set this PIX back to original factory default. I do not know any password.

Thanks
newkid123

 

[Supergrrover]

This should work and not be a problem - don't give up yet.
Start back at basics
Just have your modem, pix, switch and a PC - forget the other stuff until later.

modem -> pix -> switch -> PC

Clear the pix config and lets start over from scratch.

ip address outside dhcp setroute
ip address inside 192.168.233.1 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
dhcpd address 192.168.233.10-192.168.233.254 inside
dhcpd dns 68.87.73.242 68.87.71.226
dhcpd enable inside
fixup protocol icmp error

Now connect the PC to the switch and see if it gets the correct IP info from the pix.

Now do these tests
1. ping PC from pix
2. ping 72.14.207.99 (google.com) from pix
3. ping 72.14.207.99 (google.com) from PC
4. ping google.com (by DNS) from PC
5. web browser google.com from PC



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[newkid123]

Brent

so for phase1 I do not use my linksys wireless router at all, right?

 

[Supergrrover]

nope, leave it off. We'll tackle that later.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[newkid123]

Brent

is there a fast way of clearing the pix config?

 

[newkid123]

Brent

FYI

I just configured pix the way you said and it was total disaster, keyboard and mouse were not working and the PC was not getting IP address from PIX.

 

[newkid123]

Brent

here is a copy of config:

pixfirewall# sh config
: Saved
: Written by enable_15 at 20:01:09.519 UTC Tue Jan 30 2007
PIX Version 6.3(4)
interface ethernet0 auto shutdown
interface ethernet1 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100

hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.233.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contac
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.233.10-192.168.233.254 inside
dhcpd dns 68.87.73.242 68.87.71.226
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:62d36b0447889d49371bbd9567edc2d1
pixfirewall# sh run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto shutdown
interface ethernet1 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security
blocks S
hostname pixfirewalllization
fixup protocol dns maximum-length 512ging timestamp5
cap
fixup protocol ftp 21nbound and outbound p
fixup protocol h323 h225 1720esame zarei.com4b3
fixup protocol h323 ras 1718-1719
fixup protocol http 80side 15000d
fixup protocol icmp errorw, destroy, or preserve f
fixup protocol rsh 514
fixup protocol rtsp 554

Type
fixup protocol sip 5060ble23 h225 1720ble co
fixup protocol sip udp 5060
local-host Disp
fixup protocol skinny 2000 network informational (ou
fixup protocol smtp 25dd default route entry
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24ging C
mtu outside 1500es fro
mtu inside 150
global (outside) 1 interface?' for a list of available c
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 3:00:00 up 18 mins 28 secs
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00Hz0.0.0 0.0.0.0 68.48.48.1 1 OTHER static
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 E28F640J3 @ 0x300, 8MB
ins
timeout uauth 0:05:00 absolute29F400B @ 0xfffd8000, 32KB1 1
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3, irq 10
Licensed Features: e0
aaa-server RADIUS deadtime 10 Disabled, lin
aaa-server LOCAL protocol local
no snmp-server location

URL-filtering:
no snmp-server contact
snmp-server community publicror
Ins
no snmp-server enable trapsl
floodguard enable
telnet timeout 5
ssh timeout 5
340
console timeout 000600 b
terminal width 80
Cryptochecksum:62d36b0447889d49371bbd9567edc2d1
: end

pixfirewall# sh route
inside 192.168.233.0 255.255.255.0 192.168.233.1 1 CONNECT static

pixfirewall# show int e0
interface ethernet0 "outside" is administratively down, line protocol is down
Hardware is i82559 ethernet, address is 0013.80b7.4510
MTU 1500 bytes, BW 10000 Kbit half duplex
30188 packets input, 1884890 bytes, 0 no buffer
Received 30188 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/0)
output queue (curr/max blocks): hardware (0/0) software (0/0)
pixfirewall# exit

Logoff

Type help or '?' for a list of available commands.
pixfirewall>

 

[Supergrrover]

Your interfaces are shutdown.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[NetworkGhost]

Oh Snap!
Do this:

interface ethernet0 auto
interface ethernet1 auto


Free Firewall/Network/Systems Support-

http://firewalls.ath.cx

 

[newkid123]

Hi

Interfaces are up now, but unable to ping from PC to pix or from pix to pc. Same issue on PC, can not ping outside.

here is the config:

pixfirewall# sh run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100

hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.233.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable trap
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.233.10-192.168.233.254 inside
dhcpd dns 68.87.73.242 68.87.71.226
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:722c2717ac058d555d85334fcab6adb9
: end

pixfirewall# sh route
inside 192.168.233.0 255.255.255.0 192.168.233.1 1 CONNECT static

pixfirewall# sh int e0
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0013.80b7.4510
MTU 1500 bytes, BW 100000 Kbit full duplex
namested I
pager lines
35948 packets input, 2223158 bytes, 0 no buffer Show system buffer
404 packets output, 238360 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/3)
output queue (curr/max blocks): hardware (0/1) software (0/1)

pixfirewall# sh int e1
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0013.80b7.4511
IP address 192.168.233.1, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
132602651 packets input, 694395723 bytes, 0 no buffer
Received 132623124 broadcasts, 0 runts, 0 giants
2795897 input errors, 3 CRC, 1 frame, 2795862 overrun, 3 ignored, 0 abor
t
236096 packets output, 19474442 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (4/137)
output queue (curr/max blocks): hardware (0/128) software (0/733)

pixfirewall# sh route
inside 192.168.233.0 255.255.255.0 192.168.233.1 1 CONNECT static
pixfirewall#

 

[Supergrrover]

That should do it - is there a firewall on the PC? - turn it off for the testing. You should be able to ping the PC from the pix if it handed out an address to it.

You should have one more statement in the "sh route"

outside 0.0.0.0 0.0.0.0 [DefaultGatewayIP] 1 OTHER static

Is the modem working? is it dhcp? Do you need to provide a password?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[newkid123]

Brent
Here is the updated sh route:

pixfirewall# sh route
outside 0.0.0.0 0.0.0.0 68.48.48.1 1 OTHER static
inside 192.168.233.0 255.255.255.0 192.168.233.1 1 CONNECT static

I disabled windows and norton firewalls and PC did get its IP address from pix and they were able to ping each other. However unable to:

ping 72.14.207.99 from pix or PC.
ping google.com(by DNS) from PC.
web browser google.com from PC

 

[Supergrrover]

Good, now we are moving. (Norton FW has been a source of a ton of problems for clients.)

Just to verify - for your ISP you don't need to enter a username/password for sign on.

Type this to see your lease
show ip address dhcp

Can you ping the gateway address 68.48.48.1 from the pix and PC?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[ShoKashuki]

Hello

Has anyone suggested that he power cycle the Cable Modem? It's entirely possible that the modem has just not issued the new IP lease.

 

[newkid123]

Brent

here is the result from sh ip address dhcp

pixfirewall# sh ip address dhcp
Usage: [no] ip address <if_name> <ip_address> [<mask>]
[no] ip address <if_name> <ip_address> <mask> pppoe [setroute]
[no] ip address <if_name> dhcp [setroute] [retry <retry_cnt>]
[no] ip address <if_name> pppoe [setroute]
ip local pool <poolname> <ip1>[-<ip2>] [mask <mask>]
ip verify reverse-path interface <if_name>
ip audit {info|attack} action [alarm] [drop] [reset]
ip audit name <audit_name> {info|attack} [action [alarm] [drop] [reset]]

ip audit interface <if_name> <audit_name>
ip audit signature <sig_number> disable
show|clear ip audit count [global] [interface <interface>]
show ip [address [<if_name> [pppoe|dhcp [lease|server]]]]


and I can not ping 68.48.48.1 from pix or pc, however pc can ping pix and pix can ping pc. PC also gets IP address from pix.

 

[NetworkGhost]

just do this:

pix# sh ip address

Make sure you are receiving an address for the outside interface. If not try powering down the Cable Modem for 10 minutes and power it back on (remove power plug) check for an address again. If that doesnt work you might want to call your cable provide and see if they can wipe the MAC listed for your service.

Free Firewall/Network/Systems Support-

http://firewalls.ath.cx

 

[Minue]

Hello newkid123
Did you ever solve your problem????I have the same set up if you like I am willing to help you.
Regards

 

[newkid123]

Hi Minue

No still not working

 

[Minue]

Hello
As far as I can understand your problem is the link between the cable modem and the PIX.The Pix needs to be on the same subnet as the modem ethernet interface.The Pix can't handle your WAN ip address because it only acts as a PPPoE client, and will take an IP address from your ISP.For a home setup with one public Ip address it's done this way. WAN ip address of modem (68.48.50.237)Ethernet address of modem (192.168.1.1)-PIX outside address (192.168.1.2)Pix inside address different subnet to the outside,ex 192.168.100.1.
Your cable modem don't seems to act as a router,so this is the first problem.I think you will have to put the wireless router before the PIX.
Please tell me if your modem let's you configure your LAN interface and what's your model?
Don't worry networking is very versatile it's possible to stick that PIX in your network in some way or the other!!!
Will get back to you as soon as you reply.
Regards

 

[newkid123]

Hello Minue

The cable modem is " Linksys EtherFast Cable Modem with USB & Ethernet Connections" and model # is BEFCMU10 Ver2.
It does not seem I be able to configure the LAN interface. I can log into the wireless router and do configurations.


Thanks for your time
newkid123

 

[Minue]

Hello
There's a bit of doubt as if PIX can obtain an IP address from ISP dhcp server.Anyway to be one the safe side connect the PIX to the cable modem ethernet interface (obviouly with the correct cable),and do a "debug dhcpc detail" Be advice to put in the debug command first then the "ip address outside dhcp setroute"command.Also do a "show ip address outside dhcp" and a "show int e0".Let me know how it goes,also post the results.
Regards