brownmab53
Technical User
Hello,
Diagram:
PIX Configuration Summary:
Router Configuration Summary:
Thanks,
brownamb53
I currently have a Cisco PIX 525 firewall running version 7.0(1) and ASDM 5.0(4). It is running in transparent mode, and it is connected
between my Time Warner Cable [TWC] modem and F0/0 on my Cisco 3660 router. When I reload the router, the router cannot obtain the DHCP IP address from TWC. I have to disconnect the LAN cable from the PIX outside interface and connect it directly to the F0/0 on the router, allow the DHCP address to be obtained, and then reconnect the TWC modem back to the outside interface. About every 24 hours, I have to continue to the same process when the router's DHCP lease ends. I know there are other ways around it (ie. configuring the PIX in router mode, getting rid of the PIX and using the firewall ability in the router's IOS), but this is the hardware configuration I would like to use. I am unfamiliar with setting up a PIX / Firewall, and I would like to use this as one of my many learning experiences. (This was posted in the router page, but I was informed it belonged here.) I was informed that this is not possible in transparent mode.Diagram:
PIX Configuration Summary:
PIX Version 7.0(1)
names
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet2
speed 100
duplex full
nameif management
security-level 0
ip address 192.168.201.8 255.255.255.0
management-only
!
object-group service dhcpPorts tcp
description TCP DHCP Ports
port-object range 67 68
object-group service dhcpServices udp
description UDP Dhcp Ports
port-object eq bootps
port-object eq bootpc
object-group icmp-type ICMP-INBOUND
description Permit necessary ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group INBOUND in interface outside
ssh timeout 5
console timeout 0
dhcprelay server 142.254.136.237 outside
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 60
: end
names
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet2
speed 100
duplex full
nameif management
security-level 0
ip address 192.168.201.8 255.255.255.0
management-only
!
object-group service dhcpPorts tcp
description TCP DHCP Ports
port-object range 67 68
object-group service dhcpServices udp
description UDP Dhcp Ports
port-object eq bootps
port-object eq bootpc
object-group icmp-type ICMP-INBOUND
description Permit necessary ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group INBOUND in interface outside
ssh timeout 5
console timeout 0
dhcprelay server 142.254.136.237 outside
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 60
: end
Router Configuration Summary:
version 12.4
!
interface FastEthernet0/1
description WAN connection to the internet through ISP
ip address 192.168.10.2 255.255.255.0
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet1/0-15/0
!
interface FastEthernet2/0
description Connected to Fiber Optic LAN
ip address 192.168.0.1 255.255.255.0
ip virtual-reassembly
full-duplex
!
interface Content-Engine3/0
ip address 192.168.101.1 255.255.255.0
service-module external ip address 192.168.201.9 255.255.255.0
service-module ip address 192.168.101.2 255.255.255.0
service-module ip default-gateway 192.168.101.1
!
interface Vlan1
description Connected to Wired-Wireless LAN
ip address 192.168.201.1 255.255.255.0
ip virtual-reassembly
!
router rip
version 2
network 192.168.0.0
network 192.168.10.0
network 192.168.101.0
network 192.168.201.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 192.168.10.1
!
access-list 10 permit 192.168.0.0 0.0.0.255
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 10 permit 192.168.101.0 0.0.0.255
access-list 10 permit 192.168.201.0 0.0.0.255
!
end
!
interface FastEthernet0/1
description WAN connection to the internet through ISP
ip address 192.168.10.2 255.255.255.0
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet1/0-15/0
!
interface FastEthernet2/0
description Connected to Fiber Optic LAN
ip address 192.168.0.1 255.255.255.0
ip virtual-reassembly
full-duplex
!
interface Content-Engine3/0
ip address 192.168.101.1 255.255.255.0
service-module external ip address 192.168.201.9 255.255.255.0
service-module ip address 192.168.101.2 255.255.255.0
service-module ip default-gateway 192.168.101.1
!
interface Vlan1
description Connected to Wired-Wireless LAN
ip address 192.168.201.1 255.255.255.0
ip virtual-reassembly
!
router rip
version 2
network 192.168.0.0
network 192.168.10.0
network 192.168.101.0
network 192.168.201.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 192.168.10.1
!
access-list 10 permit 192.168.0.0 0.0.0.255
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 10 permit 192.168.101.0 0.0.0.255
access-list 10 permit 192.168.201.0 0.0.0.255
!
end
What PIX IOS command sequence, or ASDM configuration screen(s) settings, would I use to allow DHCP IP and DNS requests and
addresses to pass through to the inside interface and ultimately the router? Could I get a sample configuration?Thanks,
brownamb53