PIX 501 and ADSL Modem

[cygnusman]

Dear All,

I am trying to setup a PIX 501 between our lan and a BT adsl modem/internet router. I can ping the inside interface and the router ip address but get no connection to the internet.

Following is my config. Your pointers to correct the problem would be appreciated.

IP addresses inside are fixed and the router address is likewise.

: Saved
:
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list inside_access_in permit tcp 192.0.0.0 255.0.0.0 11.0.0.0 255.0.0.0
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 11.22.33.44 255.0.0.0
ip address inside 192.168.254.253 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.254.251 255.255.255.255 inside
pdm history enable
arp timeout 14400
static (inside,outside) 11.0.0.0 192.0.0.0 netmask 255.0.0.0 0 0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.254.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.254.251 255.255.255.255 inside
http 192.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:3543562c1deda7d20d8ff33821724eb0
: end

Many thanks.

Cygnusman

 

[phishe]

Just a shot, but shouldn't your default route outside be pointing to an external gateway?

route outside 0.0.0.0 0.0.0.0 192.168.254.254 1

Try changing it to the outside gateway IP...

route outside 0.0.0.0 0.0.0.0 11.xxx.xxx.xxx 1

Where as the "11.xxx.xxx.xxx" is the ip of your external gateway.

 

[yizhar]

HI.

* The following line is simply wrong, and also blocks ICMP, so you should remove it:
access-list inside_access_in permit tcp 192.0.0.0 255.0.0.0 11.0.0.0 255.0.0.0


* Use PDM - it will help you.


* You should test outbound connections using TCP, like telnet/http etc...
Ping will not work without first allowing the return ICMP traffic.


* Try to remove the "static" statement, and then add the following lines:

global 1 interface
nat 1 0 0


* Use syslog messages or PDM logging to get more info:

logging on
logging buffer 4
(Use higher levels for debugging)
show log
(Use "clear log" to start fresh if needed).

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[mocsol]

Hi there,

I have a similar set up and think that the prob maybe
your IP addressing as follows:

BT NAT DSL routers are generally configured as:
outside ip: xxx.xxx.xxx.xxx
inside IP: 192.168.254.254 255.255.255.0
DHCP enabled

to put your cisco box between these two you need to create
a separate internal subnet ie:

192.168.10.0 255.255.255.0

give your pix the following addresses:

ip address outside 192.168.254.253 255.0.0.0
ip address inside 192.168.10.253 255.0.0.0

route outside 0.0.0.0 0.0.0.0 192.168.254.254 1

then let your Pix handle the DHCP addressing on the
192.168.10.0 subnet (or any addressing you want as it is inside -but make sure that the PIX inside IP matches the
internal subnet)

Try using Yizhar's PIX config tool on his website (URL above) it sorts out most things and is excellent.


Good luck and let us know how it is going

Cheers

Mark

 

[cygnusman]

Dear All,

Seems I was being stupid all along. My outside interface ip was not finding the router. Changed to match router ip range and now seems OK for basic http access.

Many thanks,

Cygnusman