NEWBIE HELP: Let it all through!

[Dyehouse1]

Hi guys I know someone must be able to help me:

We currently have a 1601 and a firewall setup that we want to replace with a new 1601 and a PIX (dont ask why!)

The current router is connected to a T1 using the serial interface and this is how we want the new unit. Currently I think that everything is setup to go straight through the router as the Internet IP being reported externally is not the router but the Internet IP of the firewall? Is this correct or has the router got dual IP?

Unfortunately I have no idea where to start on the firewall. If I am using the serial interface does this use an Internet IP or a RFC1918 range IP? Are there any 'special settings' for using the serial interface?

All I know is the Internet IP range we have on the internet and the complete current firewall setup......the router remains a mystery.

Just for the record we did try connecting the new firewall to the existing router as a test and we couldn't get anything to go through to the Internet at all. We could ping and get a reply to the router but the router blocked everything external. Any ideas on that as well?

If you need more info I will try my best but can't promise anything

 

[LoneGamer]

First of all, I'm going to suggest you use something more advanced than a 1601. I'd suggest upgrading to a 2600 Series at the least, and using ACLs (Access Control Lists). You can configure those through Global Configuration Mode, and they are quite handy, and can do pretty much anything. It might help if you mentioned more of what you need in your firewall. Good luck

 

[louky]

Hello Dyehouse1

Q1 I think it could be either. You could be using NAT from the firewall, or from the router (I am not aware of the 1601 capabilities in this area), so you will have to get a console up and run some basic commands from privileged (exec) mode like "show config" to determine how the router is configured. I recommend O'Reilly's "Cisco IOS in a Nutshell" to get you started...

Q2 Since you do have the "complete current firewall setup", sounds like you can determine if it's "external interface", the one connected to the router - opposite your internal LAN, has a routable IP or a nonroutable (RFC1918) IP.

Q3 Lots of things could have gone wrong in your test. IP routing not the least. Seems to me the first step is to confirm the setup of your router. Good Luck and have fun "discovering" IOS!

 

[tschouten]

I would have to agree with LoneGamer on that, couldn't stress enough the use of access lists. There is almost nothing you cannot do with a well designed access list. More importantly while the 1600 series may be great for small office use it sounds like you do need to go a step up (but you may be able to squeak by for a while with what you have). As for hooking up the firewall to your 1600 did you have port 80 enabled and and Network Translated? While you may have been able to ping the router you might have had port 80 blocked in the firewall. Something you may want to check on.

 

[Dyehouse1]

Many thanks for your replies people. I have all the settings worked out so to speak.

The router is using PPP on its serial line and an Internet IP on its E0 port. The firewall external is using an Internet IP as well. I think the problem was something to do with routing as you all are suggesting.

I think the best bet is to setup a 'basic' config for testing purposes which will allow everything through so that I can start working at least and then closing down the holes. I believe this will be done on the firewall as this will be the NAT interface. Can someone suggest if this is a good way of going about this?

I have posted to the PIX group regarding my routing on the PIX and they have come back stating I had a bad 'global' routing entry.