Need help in setting up PIX 501

[brotherhalo]

Greetings and salutations, all.
I just got a new PIX 501 and need to configure it for my home and for my broadband access (Comcast). I have already configured my internal network to use the 501's built-in DHCP server. My problem is getting to the outside world. When I connect the 501 to my Motorola Surfboard SB3100 modem, I don't have any activity on my modem, nor does the link light activate on the 501. My configuration below is as follows and includes very little other than the "out-of-box" settings.

Result of PIX command: "sh config"

: Saved
:
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:fd219619e8b4ca2f8a5c592919d97a29

I would be most appreciative of any and all help.

Thanks!

 

[irregular]

OK, I could see this being one of two things - Both concerning your connection from the PIX to the DSL box. If the link light is not on, your not gonna get anywhere.

Firstly are you using the right kind of cable? (Straight through or cross-over). I would check the docs provided by your ISP, and any other cables they gave you.

Also, it is possible that you have the wrong speed/type of connection for this link. This is set in the following lines:

interface ethernet0 10baset
interface ethernet1 10full

It would probally be best to set to:-

interface ethernet0 auto
interface ethernet1 auto

to allow the interface to auto-detect the right settings.

Hope this helps.

Irregular

 

[brotherhalo]

Thanks for stepping up to the plate, Irregular. I really appreciate it!

I tried changing the interface as you suggested and the PIX told me it could only be set to 10baset for ethernet0 and ethernet1 could only be at 10full. Which is right, since my ethernet0 is a 10baset USB adapter and my other NIC is only 10base2.

Anyway, that didn't help. But the cable suggestion did. Like a dolt, I assumed the CISCO manual was correct in telling me which cable was the pass-through. Took a look at the cable and guess what? The manual was wrong. So much for "RTFM". Next time, "RTFC".

Thanks. Now that I'm online through the firewall, I can start learning more about PIX. Thanks a ton!

-Brotherhalo

 

[magza]

I have also exactly the same problem, doesn't anyone have a solution for this?

 

[magza]

More exactly I am using a pix 501, SURFboard SB3100, the right cable but it still don't work.

pixfirewall(config)# ip address outside dhcp setroute retry 6
............................
DHCP command failed

ping outside does not work either.

pixfirewall(config)# sh interface ethernet0
interface ethernet0 "outside" is up, line protocol is up

If I remove the pix and connect my PC using DHCP it works.

pixfirewall(config)# sh conf
: Saved
:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname magnus-pix
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.64.145 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
crypto ipsec transform-set des esp-des esp-sha-hmac
crypto map orc 10 ipsec-isakmp
crypto map orc 10 match address ipsec-magnus-sthlm
crypto map orc 10 set peer pix-sthlm
crypto map orc 10 set transform-set des
crypto map orc interface outside
isakmp enable outside
isakmp key ******** address pix-sthlm netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 192.168.64.144 255.255.255.248 inside
telnet timeout 60
ssh 194.14.211.11 255.255.255.255 outside
ssh timeout 60
dhcpd address 192.168.64.146-192.168.64.150 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:15c16172d7026f22ef5f51135f135ef4

 

[magza]

my problem is solved now, I needed to unplug the power to the modem and plug it in again. Apparently it was locked to my PC's MAC address and didn't accept the MAC address of the PIX when I connected it.

 

[jgcpu]

Hi Guys:

I had the same problem as brotherhalo, I don't undestand why cisco has not fix the manuals yet on connecting the pix to a broadband modem, thanks to you all, my hairs will be growing again