Connecting 2514 & PIX 501 To Cable Modem - HELP!!!

[PixPocket]

Hi all! Please bare with me as I think I am quite a ways off here. I have searched the info in these forums and could not solve this issue on my own, so please feel free to offer any useful input. In any event I am attempting to connect my 2514 to my Pix 501 (which is connected to my cable modem and working). I just need some help with the config for the 2514. What I have to do right now to connect to the internet (to post this thread for example) is simply connect my switch directly to the 501. So I don't think I have any config issues with the 501. Anwyay, I want to connect the 2514 to the 501 and connect my LAN switch to the 2514. I think I am confused as to the config of E0 since that interface is connected to the 501 as opposed to the cable modem. What ip address should I be assigning that interface? Also, what kind of static routes should I have? As you can see from my config, I plugged in a static route with the next hop address of the 501, but since I can't even ping the 501 from the 2514, that obviously doesn't work. Any help is appreciated!!

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname Router
!
boot system flash 1:aaa0850.bin
no logging console
!
ip subnet-zero
!
!
!
interface Ethernet0
ip address 10.0.0.1 255.255.255.0
no ip directed-broadcast
ip nat outside
no ip route-cache
no ip mroute-cache
no cdp enable
!
interface Ethernet1
ip address 192.168.1.10 255.255.255.0
no ip directed-broadcast
ip nat inside
no ip route-cache
no ip mroute-cache
!
interface Serial0
no ip address
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
shutdown
no fair-queue
!
interface Serial1
no ip address
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
transport input all
line vty 0 4
login
!
end

 

[wybnormal]

The PIX would have an IP of 10.0.0.1 and the 2514 would be 10.0.0.2 with a subnet mask of 255.255.255.252 The 252 gives 2 usable IP addresses. Not that you need to be worried about it on a home lan, it's just a good habit to get into on serial or direct links like this.

The next hop is the pix.. but you dont need to say that.. you would use a

ip route 0.0.0.0 0.0.0.0 <next hop>

Basicly says that if I dont know where to send the packet.. send it to the next hop and it will worry about it.

MikeS

PS- pings are dumped by default.. you need to enable the ping response on the PIX Find me at

http://www.packetattack.com

&quot;The trouble with giving up civil rights is that you never get them back&quot;

 

[PixPocket]

Hmmmm, okay, thanks for the info Mike. I have configured the PIX so that I can ping it. I am actually using the 192.168.1.x ip range for PIX, where 192.168.1.1 is the address of e1 on the PIX. However, when I tried to configure e0 on the 2514 to match the 192.168.1.1 of the PIX, I have a conflict then with e1 on the 2514 and it won't let me configure as such.

So given that set of circumstances, isn't my ip route statement correct, since I have plugged in the address of the PIX as the next hop? Basically it just sounds like e0 is not configured properly on the 2514 (and given the information you supplied, I will likely need to change e1 on the PIX as well?!?!....using a different ip range?).

One last thing, is it not correct to use the ip add of the PIX as the default gateway for my network? I saw another post along these lines and it made a statement to the contrary.

Thanks so much for your help. I hate being new to something and having to make an arse out of yourself while you stumble through it all!

 

[wybnormal]

You need to different subnets.. one for each interface on the router..

internet---publicIP-PIX-10.0.0.2------10.0.0.1--E1-ROUTER-E0-192.168.1.1---LAN

Something like that poor drawing ;-)

The router closest to your LAN is the default gateway.. in this case, it's the 2514.. not the PIX.. the PIX is the Next-Hop for the 2514.

MikeS
Find me at

http://www.packetattack.com

&quot;The trouble with giving up civil rights is that you never get them back&quot;

 

[PixPocket]

Thanks for your patience Mike - I'll give it a try and see if it works!!

 

[PixPocket]

No good! I just can't seem to get it to work! I changed e1 on the PIX to 10.0.0.1, e0 on the router to 10.0.0.2 and e1 on the router to 192.168.1.1 - With that scenario I can ping e1 on the PIX from the router but not from a workstation. I cannot ping an internet address (or e0 on PIX) from the router. I entered a static route as follows:

ip route 0.0.0.0 0.0.0.0 10.0.0.1

If the router can communicate with e1 on the PIX, why can't a workstation? I am also confused that I cannot ping an external address from the router. Almost like something is amiss in the PIX config now. One more note, I was using 192.168.1.x range for my internal network and the PIX was configured to work fine with that scenario (switch connected directly to the PIX). Only now that I have changed the inside address of the PIX does it seem to be a problem. Even though my workstation still has a 192.168.1.x ip address I cannot communicate with the PIX through the router. Does the PIX see the router & workstation as a different network now? i.e. - PIX was configured to accept telnet from 192.168.1.0 255.255.255.0 - as I mentioned my workstation is in that range, but it doesn't work. I'm confused - HELP!!

 

[wybnormal]

This is a config from Cisco.. backwards from what you doing but it gives a nice config to work from

http://www.cisco.com/warp/public/110/single-net.shtml

This link is for configuring NAT on the pix.. which is where your problem is likley at..

Are you running NAT/PAT on the PIX and the 2514?

MikeS
Find me at

http://www.packetattack.com

&quot;The trouble with giving up civil rights is that you never get them back&quot;

 

[PixPocket]

Thanks again Mike! Yes I am running NAT\PAT on both devices. What is the best practice given my architecture?

 

[wybnormal]

OK.. lets get back to basics..

can the workstation ping the gateway.. both interfaces?
can the workstation ping the PIX?

If you run a traceroute, where does it fail?

Any static maps in the NAT?

If you try to go on the internet, on the 2514, does a SHOW IP NAT TRANSLATION show any activity?

Now for the fun stuff.. if you pull the PIX out.. reconfig the E1 port with the public IP/mask, does it work? dont forget to change the IP ROUTE to the correct next hop of the ISP.

reverse things.. put the PIX back.. config it as it should be.. BUT- config DHCP on the PIX with the correct info.. plug a W/S etc into one of the switch ports on the back.. can you access the internet?

internet--PIX---2514----LAN
|
|--test workstation

Divide and conquer..

Running NAT on both normally does not cause too many troubles.. although RealAudio sometimes gives me a headache..

MikeS
Find me at

http://www.packetattack.com

&quot;The trouble with giving up civil rights is that you never get them back&quot;

 

[PixPocket]

Well, your advice was worthy as we obviously DO need to start with the basics. The 2514 config is not working, so forget the PIX for the time being. I MUST BE missing something in the 2514 config - HELP!!

Okay, I changed E0 to the public ip/mask (cable modem) and set a static route to the next hop ip of my ISP. I can ping both interfaces on the 2514 from my workstation, but not the internet (dest unreachable from router). I can ping all switches, servers and workstations from the 2514, but not any internet addresses. I do a tracert from my ws and it gives nothing but timeouts after hitting E1 on the 2514. What am I doing wrong or not seeing here?! Thanks for your input!

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname Router
!
boot system flash 1:aaa0850.bin
no logging console
enable secret xxxxxxxxxxxxxxxxxxxxxxxxxxx
!
ip subnet-zero
!
!
!
interface Ethernet0
ip address xx.xxx.xxx.x 255.255.254.0
no ip directed-broadcast
ip nat outside
no ip route-cache
no ip mroute-cache
no cdp enable
!
interface Ethernet1
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
ip nat inside
no ip route-cache
no ip mroute-cache
!
interface Serial0
no ip address
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
shutdown
no fair-queue
!
interface Serial1
no ip address
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.65.xx.1
!
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
transport input all
line vty 0 4
login
!
end

 

[wybnormal]

I'm at a clients right now ( goofing off waiting for MS products to load ;-) ) but I dont see a global overload for the NAT.. you need this if you have ONE ip to share among the home LAN..

config t

ip nat inside source list 1 interface ethernet 1 overload

The list 1 in the access list to provide access to the lan
interface ethernet 1 is the *outside* interface 1 or 0
overload says to use PAT ( port address translation) to share the 1 ip address to the inside ip range.

I can supply a sample access list later tonight if you need it.

MikeS
Find me at

http://www.packetattack.com

&quot;The trouble with giving up civil rights is that you never get them back&quot;

 

[PixPocket]

Since you're prolly still waiting for that sw to load (LOL) I made the suggested changes but still no good. I see where you were coming from as far as communication from my network, but I don't think we addressed the issue of not being able to communicate from the 2514 to the internet?! Thanks for all of your help - any other ideas?!?

 

[wybnormal]

Actually.. that was part of trying to get the 2514 to work on the internet..

internet---E1-NAToutside-2514-NATinside-E0---LAN

If the NAT doesnt work, then the router will not work on the internet..
Try this.. leave things the way they are and do a *directed* ping from E1 to somewhere on the internet.. like your DNS server.. ping by IP..

nemesis#ping (hit return..do not put in IP)
Protocol [ip]:
Target IP address: 206.202.168.4
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
; outside IP here
Source address or interface:192.168.2.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 206.202.168.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
nemesis#

See if you can ping the internet address from that interface.. if not then there is another problem other then router's NAT. You must be able to ping from the outside interface To something.. we need that to work.. you already have the inside working.. With both working we can get NAT working.. then we be styling!!

I have a tutorial on my site for PINGing around..

http://www.packetattack.com/tutorials.html

Take a look at it.

MikeS
Find me at

http://www.packetattack.com

&quot;The trouble with giving up civil rights is that you never get them back&quot;

 

[PixPocket]

Oh my.....oh my.......okay, okay, ten deep breaths - WE GOT IT!!! Shwew! I thought it was never going to work. The pinging around helped me to resolve the problem. I ended up changing the ip on e0 and assigning a new static route and viola - 'tis magic. I couldn't have done it without you WYB!!!! A million thanks.......now <don't shoot>, say I were to, oh, plug the PIX back into the equation?!?!?!?! Got any suggestions of how to tackle that? Again thank you!

 

[PixPocket]

Yikes - follow-up.......I am finding that the public ip I assign to e0 is only remaining valid for 10 minutes or so?! As soon as I pick another unassigned ip in the range it works, but again, only for ~10 minutes. Ever heard of that? I remember the cable company saying that routers were not allowed (LOL)....I don't suppose they are blocking somehow are they? I never had this problem when the PIX was connected to the cable modem?!?! Just thought I would throw that out there.

 

[PixPocket]

Follow-up #2.....Hey WYB, check it!! I hooked the 2514 back up to the PIX and reconfig'd it all and.....hold on now.....are you sitting down?!?! IT W-O-R-K-E-D!!! I'm sure I have some stuff left to tweak, but WOW, did we make a ton of progress today - And I owe it all to you! THANK YOU! THANK YOU!! THANK YOU!!!

 

[wybnormal]

Great news!!! I'm glad to hear that we finally beat the network into submission ;-)

Enjoy your protected high speed internet access.. you will wonder how you ever survived without it..

BTW- most cable companies use DHCP on their addresses unless you get a commerical account which supplies a static with some DHCP addresses. The 2514 can it but it takes a pretty new version of the IOS.. the PIX is a better bet anyways on that end of things.

MikeS
Find me at

http://www.packetattack.com

&quot;The trouble with giving up civil rights is that you never get them back&quot;