internet -> cisco 1710 -> pix 506e

[caswcu]

Im switching over from a DSL line to a t1 line. Right now the pix handles everything ( vpn, static routing, ip forwarding, etc. ). When I get the 1710 I want it to act just like the dsl modem. Should I ask the t1 provider to setup the cisco 1710 in bridge mode? Anything else I should know?

 

[NetworkGhost]

No. You will get have to assign a IP to the internal int on the router. Bridge mode is possible if you ISP supports it but I wouldnt recommend it. It will be better in the case of outages and troubleshooting. , loopbacks, etc.

 

[caswcu]

so I assign an external ip address to the router and I should then be able to manage my pix like I do now?

 

[NetworkGhost]

Yes

 

[NetworkGhost]

Of course you will be assigning and IP to your Pix also and the gateway will have to be assigned.

 

[lashboy]

this is what you should do!

you will need 2 different network address
one for serial interface ( router)
one for router ethernet interface ( should be different network from serial interface)

one ip to pix outside interface ( should be same network IP as ethernet interface)

default gateway on pix will be router serial interace!

 

[NetworkGhost]

Default on the Pix would actually be the router ethernet interface.

 

[gregbeason]

You can do IP Unnumbered on the serial interface and just have one network on the ethernet side. I would ask for a /29 so you have some free IP addresses for later use.

 

[caswcu]

let me make sure I understand this

say 1.2.3.x is an external range with 16 ips.. 1.2.3.2-1.2.3.18

the router will be assigned 1.2.3.2

the pix will be assigned 1.2.3.3 and I will be able to control 1.2.3.4-1.2.3.18 thru the pix like I do now?

 

[KiscoKid]

Yes you can create NAT/PAT mappings with any or all your spare IP's for those servers that need to be visibile from the outside. I would envisage you could end up with something like:

PIX Config:

ip address outside 1.2.3.3 255.255.255.240
ip address inside 10.10.1.1 255.255.255.0
name webserver 10.10.1.250
ip route 0.0.0.0 0.0.0.0 1.2.3.2
global (outside) 1 interface
nat (inside) 1 10.10.1.0 255.255.255.0
static (inside, outside) 1.2.3.5 webserver
access-group acl_out in interface outside
access-list acl_out permit tcp any host 1.2.3.5 eq 80

Router Config:

int fa0/0
ip address 1.2.3.2 255.255.255.240
int dialer0
ip unnumbered fa0/0
ip route 0.0.0.0 0.0.0.0 dialer0

 

[KiscoKid]

Just re-read your post and see that it's a T1 not DSL. Given that the router config changes a little:

int fa0/0
ip address 1.2.3.2 255.255.255.240
int s0/0
ip unnumbered fa0/0
ip route 0.0.0.0 0.0.0.0 s0/0

 

[caswcu]

kiscokid

what your showing makes sense.. just a few questions

i dont believe the below line matters since I do dhcp thru a windows 2003 domain ( isnt this for if IM going to have the pix handle dhcp?? )

nat (inside) 10 0.0.0.0 0.0.0.0 0 0 ( this is the line in my router now )

how does this:

int fa0/0
int s0/0

differ from what Im doing now:

interface ethernet0 auto
interface ethernet1 auto

Thanks

 

[KiscoKid]

The nat (inside) statement thing was just something I threw in in case you didn't have it already. It just tells the PIX what networks need NAT'ing. Your existing nat (inside) statement should be fine.

The int fa0/0 and int s0/0 in my post above are relevant to the router not the PIX. It's basically an example config script you could paste and copy directly into the router (not the PIX). Naturally you'd have to insert the right IP addresses into that script. The statements 'interface ethernet0 auto' and 'interface ethernet1 auto' are relevant to the PIX only and can stay as they are.

 

[caswcu]

Kiscokid,

thanks for your help. I know where to come when I get the t1 and router.

Thanks

 

[caswcu]

kiscokid,

actually I got a 2801.. The setup should be similar right?

 

[KiscoKid]

The commands are the same. You may find that the interface identifiers are different, ie. something like int s0/0/0 for example (instead of what I put previously)