Incorporating Pix 501 into Lab Network

[Bedrock1977]

I would like to incorporate a Cisco Pix 501 Firewall in my home lab environment. I was using the Cisco 2514 to act as my DSL Router but have since gone back to using my DLINK Wireless router. What is the best possible way to accomplish this? I want to set up PAT Translation but also allow for Remote Desktop Connections using port 3389. But first, I need to figure out where to place the Pix unit into the topology.

 

[pompeychimes]

If your goal is to learn as much about Cisco as possible I'd put the 2514 back where it was. I'd then put the PIX behind it. If you need wireless i'd convert your wireless router to a simple access point...

Internet---DSL MODEM---2514---PIX---LAN/Wireless LAN

 

[burtsbees]

I second.

/

 

[Bedrock1977]

Well that actually matches what was discussed in the manual for Pix Version 6.3(5). The router they showed to the right of the "cloud" was called the default or perimeter router and then the pix was right behind that. The Quick Start guide for the Pix shows the DSL modem connecting directly to the WAN interface on the Pix. Either the Pix was not configured properly using the default settings or something else was going on. The reason I say that is because the modem was trying to give a 192.168.1.64 address to the firewall and it wouldn't accept it.
Originally when I had the 2514 configured as my DSL router, I had the external interface set to receive an IP address from the ISP via DHCP. Then I had the internal interface configured to distribute addresses to my internal network (192.168.1.0). I also had an access list set to provide internet access to all networks inside as well as provide PAT. Because I would add one more device to the mix, what would be the best way to address it? Should PAT be configured on the PIX or on the 2514

I could draw a nice diagram and post it on here for you to see if I could just attach it!

 

[pompeychimes]

Use a /30 between the 2514 and the PIX. Use the 10.0.0.0 network on the LAN and subnet it down to what you need. Do all your NATing on the PIX.

 

[Bedrock1977]

Ok..I understand. Thanks.

Hey, are you not able to use EIGRP as the main routing protocol with the Pix 501? The documentation says only RIP and OSPF.

 

[burtsbees]

That's correct.

/

 

[Bedrock1977]

For instance, could I use RIP for the link between the 2514 and the Pix and EIGRP for the rest of the network or does the entire network need to be RIP?

 

[pompeychimes]

There is no right or wrong answer. Since you are studying i'd try it both ways and make my own conclusions on which way is best.

 

[Bedrock1977]

After accidently breaking my SpeedStream 4100 DSL modem and purchasing an AT&T Modem (Motorola 2210) - I can not get the 2514 to work like it used to. I have Ethernet0 set to accept an IP address from the ISP. The only thing it does now is gives it 192.168.1.64 and the activity light for that interface is constantly on. What won't it give the public IP address out? Is there something on the modem that isn't set correctly? To my knowledge - I never had to change anything on the old modem to get it to work.

 

[Bedrock1977]

Well I decided to let the modem give the router the 192.168.1.64 IP and the inside network to 192.168.2.0. I know you had suggested the 10.0.0.0 network for the inside, but I had already subnetted that out for the frame-relay portion of the network. As I get into this further, I may decided to do some things different. What's important is that I now have the 2514 up and running!