HELP!!!!! 1

[tx2systems]

I have jut bought a cisco 837 dsl modem router and cisco pix 501 firewall... not being used to using cisco i need pointing in the right direction.

Senario...

I have a windows sbs server in place ip address say 192.168.0.2
It is a DHCP server and DNS server so all client machines are assigned auto

I have a static ip issued by my provider which i have set on the 837 and is fine it works no problem on the outside interface.

Now the inside interface for the 837 is where i am at a slight loss??

The cisco pix 501 inside interface i have set to 192.168.0.1

Now again I am at a loss as to what to set the outside interface to on the firewall??

And also I have been told that I may need to set up a static route??

Can anybody pleas help with this ??

 

[lgarner]

As I understand it, you have:

lan -- pix -- router -- internet

I'd pick another network and use it between the pix and router. Set the pix outside i/f to 192.168.1.1 and the router inside i/f to 192.168.1.2.

The router should have a route to 192.168.0.0/24 via 192.168.1.1. Normally:
ip router 192.168.0.0 255.255.255.0 192.168.1.1

I'd also use identity nat in this case on the Pix:
static (inside,outside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

The Pix's default route will be via the router:
route outside 0.0.0.0 0.0.0.0 192.168.1.2

That way the modem/router will handle all NAT and it will probably be simpler. The NAT can get sticky if you use double-nat and want to allow inbound traffic, but the double-natting of traffic (once by the Pix and once by the router) should work of for outbound.

Personally, I'd be inclined to use a basic DSL modem and have the Pix as the only layer-3 device to worry about. I don't know if the 837 can be set to a "modem-only" mode. If so, then your router's public address would be set on the Pix's outside interface and the "router" would just act as a modem. That's be my "perfect world", but I don't know if it will work here.

 

[tx2systems]

Hi, thanks for that 1garner... you know when something is niggling you and a mixture of impatience and excitement take over lmao... I sat thinking maybe i should reset it and did... so now it is a state of nothingness not even a web interface, am thinking there must be some sort of factory default reset procedure but it eludes me at the moment but when i actually figure out how to get the dam thing working again lol i will try your config advice... thanks once again

 

[GregNVMC]

Hi Guys,

I'm in a very similar situation. I've just bought a Ciso 827 broadband router and a PIX 501. I have it connected in the way lgarner describes:

lan -- pix -- router -- internet

I have a single fixed public address assigned by the ISP.

It all works fine for outbound traffic, I can browse the web fine and all is great there. However, I can't seem to work out how to allow inbound traffic from the web to devices behind my PIX.

The config on the PIX needs to remain fairly static as I've configured it to support VPN connections. I know that the PIX VPN is working fine because I also have a Linksys router that I've tested it with.

When I use the Linksys instead of the Cisco 827, inbound access to the PIX works fine.

Please can you help me understand how to configure the Cisco 827 router to allow all inbound traffic to the PIX, so that the PIX can handle the decisions on what to allow.

Please let me know if you need more information.

Thanks in advance.

Greg.

 

[NettableWalker]

You need to use NAT.

You must supply the port number for the application you want to traverse the router as follows: SMTP, web and ICA in these examples. xx..xx.x.x is your external IP address.

ip nat inside source static tcp 10.0.0.1 25 xx.xx.xx.xx 25 extendable
ip nat inside source static tcp 10.0.0.1 80 xx.xx.xx.xx 80 extendable
ip nat inside source static tcp 10.0.0.4 1494 xx.xx.xx.xx 1494 extendable

 

[GregNVMC]

Thanks Hellbabe

Do I apply that ACL to the router then and not the PIX?

Do you know what ports I need to allow for the Cisco VPN client v4.6 to connect through to the PIX?

Thanks,

Greg.

 

[NettableWalker]

Hi Greg, it's not an ACL, it's just NAT.

enter it on the router in config mode.

not sure about the VPN client ports but on re-reading your question it seems that you want to allow all traffic past.

Maybe try

ip nat inside source static tcp 10.0.0.1 xx.xx.xx.xx

it might work.

anyone else?

 

[GregNVMC]

OK, thanks I've added the following to the router:

ip nat inside source static 192.168.250.2 xxx.xxx.xxx.xxx

This allows me to connect to the PIX VPN. The only thing I'm having difficulty with now is allowing inbound SMTP to my SMTP gateway behind the PIX.

Do I need to add a NAT on the router for this or on the PIX or both?

I've tried adding the following on the router:

ip nat inside source static tcp 192.168.8.11 25 xxx.xxx.xxx.xxx 25 extendable

and I've also added this to the PIX:

static (inside,outside) tcp interface smtp 192.168.8.11 smtp netmask 255.255.255.255 0 0

I've since removed the nat entry from the router, but left the PIX one there.

Am I on the right lines here?

Thanks for all your help so far, it is hugely appreciated ;-)

Kind Regards,

Greg.

 

[GregNVMC]

OK, scratch that last post ;-)

I'm all set and working fine now, thanks for all your help guys - I couldn't have got there without it.

Cheers,

Greg.