Newbie - Need Help Configuring Pix 501 with Linksys "router"

[beardj]

OK, the basic network setup looks like this:

Internet -> Cable Modem -> Linksys Wireless Router w/ 4 port hub -> Pix 501 -> Workstations

First, let me explain this configuration - it is meant to provide a non-private wireless network, while still allowing those computers on the "private" network behind the PIX with access to the Internet.

Since the Linksys is also a hub, the PIX is connected to it with a straight-through cable and the link light is green.

The Linksys router is a DHCP server and client. Its external IP address is the only "real" address on the network. Its gateway is 192.168.123.254. It provides a dynamic IP to the PIX (192.168.123.198).

The PIX is also a DHCP client and server. Its outside address is listed a dynamic and its inside address is 192.168.1.1.

So, here are some tidbits about how all of this is working:
-I can attach a workstation to the Linksys at the same point as the PIX and it has no problem accessing the internet.
-The PIX cannot successfully ping the Linksys router gateway IP (192.168.123.254)

The problem is that workstations connected to the PIX cannot get to the internet (ping or http). As a complete novice at this, I would appreciate any guidance. Thank you!

 

[tbissett]

Please post your PIX config. Sounds like the problem may be in there, but we won't know for sure until we see it.

 

[beardj]

So, here is my current PIX configuration, it's basically out of the box... While I have several theories about why this doesn't work, I'd love to hear some of your thoughts. Thanks again!

Result of PIX command: "write terminal"
 
Building configuration...
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ****removed**** encrypted
passwd ****removed**** encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:****removed****
: end
[OK]

 

[havanajoe]

I would start by checking the status of my e0 interface. Check to make sure that it is in fact getting an ip address from the linksys.

I have done a setup like this before and I had to enter a static route in the linksys for the private network behind the pix.

Next add these lines into the config of the pix...

(This will let you ping the linksys from the pix and get a response)
icmp permit any any inside
icmp permit any any outside

access-list in permit ip any any
access-list out permit ip any any
access-group in in interface outside
access-group out in interface inside

These lines will make sure that any and all traffic can pass through the PIX. This would not be wise however since you are already sitting behind the linksys you are protected. This will let you test and then you can harden the rulebase. With a static route in the linksys to your 192.168.1.0/24 network pointing to the outside interface of the PIX (you may have to give the PIX a static IP) and the above ICMP lines as well as the ACLs you should be able to pass traffic through. I hope this helps.

 

[tbissett]

A couple of other suggestions:
1) Make sure the interface speeds match on both the Linksys and the PIX. Right now, the PIX is set to 10Base-T. Is that what the Linksys is set to?
2) Do a "show route" You should have a default route in there.

 

[beardj]

Thanks for the replies... Ok, so here's the good news- it works! After adding the previous lines to the config, it seems to behave correctly. I'm a litle concerned about the routes, though:

Result of PIX command: "show route"
 
	outside 0.0.0.0 0.0.0.0 192.168.123.254 1 DHCP static
	inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static
	outside 192.168.123.0 255.255.255.0 192.168.123.198 1 CONNECT static

Also, I do have another question - I am using the DHCP server functionality of the PIX, but I would like to give a print server a static internal IP. How would I do this? Thanks again. -j

 

[yizhar]

HI.

> I'm a litle concerned about the routes, though
You're routing table seems fine to me.
The "CONNECT" lines are automaticaly generated from the "ip address ..." pix configuration.

> but I would like to give a print server a static internal IP
No problem. Simply give it something like 192.168.1.200


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar