Announcement

Collapse
No announcement yet.

Configuring cisco 2800,PIX 515E for internet access

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Configuring cisco 2800,PIX 515E for internet access

    Hi all,
    I am new to this site and new to Cisco routers (ver 12.4(3i)) and pix (ver 6.3(5)) but i have being task to configure these two devices for internet access in our remote site (which is already using iDirect 3000 Satellite router for the internet). This is the information i have:
    1. Lan ip addr 172.16.0.0 /20
    2. Default gateway of modem is *.*.*113/248
    3. IP of modem is *.*.*.114/248
    4. I want to give *.*.*.115 to the outside PIX
    5. i want to give *.*.*.117 to the outside of the router
    6. *.*.*.118 is free public IPs
    7. Give 172.16.11.2 to inside of the router
    8. Give 172.16.11.4 to inside of the pix
    9. i assume the connection to be like
    PIX---SWITCH---ROUTER---iDIRECT MODEM--INTERNET.

    with these information, can somebody help me with a detail configuration that i have to do on both the pix and the router to get the connection from a workstation on the Lan to the outside please?

    Thanks in advance.
    Last edited by awoyoo; 9th February 2009, 15:50.

  • #2
    Re: Configuring cisco 2800,PIX 515E for internet access

    this is what i have done so far but still not being able to pass traffic from within the pix to the router or the modem

    PIX 515E Config

    PIX Version 6.3(5)
    interface ethernet0 100full
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password e&0QEuN7Un4xh4aV encrypted
    passwd e&0QEuN7Un4xh4aV encrypted
    hostname keeper
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list outbound permit tcp 172.16.0.0 255.255.0.0 any www eq
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside *.*.*.115 255.255.255.248
    ip address inside 172.16.11.4 255.255.240.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm history enable
    arp timeout 14400
    global (outside) 1 *.*.*.117
    route outside 0.0.0.0 0.0.0.0 *.*.*.116 1 (which is pointing to the external ip of the router)
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:6d5288c77b57710a6cae1dd9e603cdaa


    And the config for the router

    Current configuration : 2022 bytes
    !
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname router
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    logging buffered 51200 debugging
    logging console critical
    !
    no aaa new-model
    !
    resource policy
    !
    clock timezone PCTime 0
    ip subnet-zero
    no ip source-route
    ip tcp synwait-time 10
    !
    !
    ip cef
    !
    !
    no ip bootp server
    ip domain name domain.com
    ip name-server *.*.*.30 (ISP DNS Server)
    !

    !
    !
    !
    interface FastEthernet0/0
    description Link to PIX
    ip address 172.16.11.2 255.255.240.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip route-cache flow
    duplex auto
    speed auto
    no mop enabled
    !
    interface FastEthernet0/1
    description Link to iDirect 3000 Router
    ip address *.*.*.117 255.255.255.248
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip route-cache flow
    duplex auto
    speed auto
    no mop enabled
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 *.*.*.113 (ISP default gateway)
    !
    ip http server
    ip http authentication local
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source list 102 interface FastEthernet0/0 overload
    !
    logging trap debugging
    access-list 102 permit ip 172.16.0.0 0.0.255.255 any
    no cdp run
    !
    control-plane
    !
    !
    line con 0
    login local
    transport output telnet
    line aux 0
    login local
    transport output telnet
    line vty 0 4
    privilege level 15
    login local
    transport input telnet
    line vty 5 15
    privilege level 15
    login local
    transport input telnet
    !
    scheduler allocate 20000 1000
    !
    end


    Can someone please have a look at these two configurations and point me to the right thing to do. I did a test of ping the router's interfaces from the pix but i only get no response and obiviously i can't also ping the modem interface.

    Comment


    • #3
      Re: Configuring cisco 2800,PIX 515E for internet access

      Something I noticed...
      Code:
      global (outside) 1 *.*.*.117
      I see the global statement with a NAT ID of 1, but not the corresponding nat statment that references the NAT ID.

      Something like: Using your ACL for reference
      Code:
       
      access-list outbound permit tcp 172.16.0.0 255.255.0.0 any www eq 
      nat (inside) 1 access-list outbound 0 0
      BTW: The posted ACL does not look right. I would think it needs to end with "eq www"

      Comment


      • #4
        Re: Configuring cisco 2800,PIX 515E for internet access

        i have done the following changes to the PIX but still can't ping any of the router's interface and the modem. Does everything look ok with the pix config and the router config?? i am just lost.

        PIX Version 6.3(5)
        interface ethernet0 100full
        interface ethernet1 100full
        nameif ethernet0 outside security0
        nameif ethernet1 inside security100
        enable password eC0QEuN7qz4xh9kV encrypted
        passwd eC0QEuN7qz4xh9kV encrypted
        hostname keeper
        fixup protocol dns maximum-length 512
        fixup protocol ftp 21
        fixup protocol h323 h225 1720
        fixup protocol h323 ras 1718-1719
        fixup protocol http 80
        fixup protocol rsh 514
        fixup protocol rtsp 554
        fixup protocol sip 5060
        fixup protocol sip udp 5060
        fixup protocol skinny 2000
        fixup protocol smtp 25
        fixup protocol sqlnet 1521
        fixup protocol tftp 69
        names
        access-list outbound permit tcp 172.16.0.0 255.255.0.0 any eq www
        pager lines 24
        mtu outside 1500
        mtu inside 1500
        ip address outside *.*.*.115 255.255.255.248
        ip address inside 172.16.11.4 255.255.240.0
        ip audit info action alarm
        ip audit attack action alarm
        pdm history enable
        arp timeout 14400
        global (outside) 1 *.*.*.116
        nat (inside) 1 access-list outbound 0 0
        nat (inside) 1 172.16.0.0 255.255.0.0 0 0
        route outside 0.0.0.0 0.0.0.0 *.*.*.117 1 (router outside IP)
        timeout xlate 3:00:00
        timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
        timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
        timeout sip-disconnect 0:02:00 sip-invite 0:03:00
        timeout uauth 0:05:00 absolute
        aaa-server TACACS+ protocol tacacs+
        aaa-server TACACS+ max-failed-attempts 3
        aaa-server TACACS+ deadtime 10
        aaa-server RADIUS protocol radius
        aaa-server RADIUS max-failed-attempts 3
        aaa-server RADIUS deadtime 10
        aaa-server LOCAL protocol local
        no snmp-server location
        no snmp-server contact
        snmp-server community public
        no snmp-server enable traps
        floodguard enable
        telnet timeout 5
        ssh timeout 5
        console timeout 0
        terminal width 80
        Cryptochecksum:4ce543f56390f52be14fdd2cff326c7a

        Comment


        • #5
          Re: Configuring cisco 2800,PIX 515E for internet access

          For testing I would remove this line:
          Code:
          nat (inside) 1 access-list outbound 0 0
          as you already have a line
          Code:
          nat (inside) 1 172.16.0.0 255.255.0.0 0 0
          You don't need much on the PIX to be able to ping externally.
          Code:
          interface ethernet0 100full
          nameif ethernet0 outside security0
          ip address outside *.*.*.115 255.255.255.248
          Basically those above, which you already have. This implies problems with the router setup.
          Can you make sure you set it to 100 Full as well because it is on auto whereas the PIX is hard set.
          Last edited by AndyJG247; 11th February 2009, 09:41.
          cheers
          Andy

          Please read this before you post:


          Quis custodiet ipsos custodes?

          Comment


          • #6
            Re: Configuring cisco 2800,PIX 515E for internet access

            AndyJG247,
            can you please have a look at the router config and see if you can help me with where the problem might be.


            Current configuration : 2022 bytes
            !
            version 12.4
            no service pad
            service tcp-keepalives-in
            service tcp-keepalives-out
            service timestamps debug datetime msec localtime show-timezone
            service timestamps log datetime msec localtime show-timezone
            service password-encryption
            service sequence-numbers
            !
            hostname router
            !
            boot-start-marker
            boot-end-marker
            !
            security authentication failure rate 3 log
            security passwords min-length 6
            logging buffered 51200 debugging
            logging console critical
            !
            no aaa new-model
            !
            resource policy
            !
            clock timezone PCTime 0
            ip subnet-zero
            no ip source-route
            ip tcp synwait-time 10
            !
            !
            ip cef
            !
            !
            no ip bootp server
            ip domain name domain.com
            ip name-server *.*.*.30 (ISP DNS Server)
            !

            !
            !
            !
            interface FastEthernet0/0
            description Link to PIX
            ip address 172.16.11.2 255.255.240.0
            no ip redirects
            no ip unreachables
            no ip proxy-arp
            ip nat inside
            ip route-cache flow
            duplex auto
            speed auto
            no mop enabled
            !
            interface FastEthernet0/1
            description Link to iDirect 3000 Router
            ip address *.*.*.117 255.255.255.248
            no ip redirects
            no ip unreachables
            no ip proxy-arp
            ip nat outside
            ip route-cache flow
            duplex auto
            speed auto
            no mop enabled
            !
            ip classless
            ip route 0.0.0.0 0.0.0.0 *.*.*.113 (ISP default gateway)
            !
            ip http server
            ip http authentication local
            ip http timeout-policy idle 60 life 86400 requests 10000
            ip nat inside source list 102 interface FastEthernet0/0 overload
            !
            logging trap debugging
            access-list 102 permit ip 172.16.0.0 0.0.255.255 any
            no cdp run
            !
            control-plane
            !
            !
            line con 0
            login local
            transport output telnet
            line aux 0
            login local
            transport output telnet
            line vty 0 4
            privilege level 15
            login local
            transport input telnet
            line vty 5 15
            privilege level 15
            login local
            transport input telnet
            !
            scheduler allocate 20000 1000
            !
            end

            Comment


            • #7
              Re: Configuring cisco 2800,PIX 515E for internet access

              Not so good on the routers I'm afraid. The only thing I would change is:

              Code:
              interface FastEthernet0/0 
              duplex full
              speed 100
              Assuming I have written that correctly.
              Then try pinging the IP from the PIX again.
              cheers
              Andy

              Please read this before you post:


              Quis custodiet ipsos custodes?

              Comment


              • #8
                Re: Configuring cisco 2800,PIX 515E for internet access

                AndyJG247, done that but can't still ping any interface out of the pix. Just a quick one, is the connection below correct?

                LAN---172.16.11.4(inside)- PIX-78.138.15.115 (outside)----Crossover---172.16.11.2(inside)ROUTER-78.138.15.117(outside)---MODEM(78.138.15.114)------->GW(78.138.15.113)

                Comment


                • #9
                  Re: Configuring cisco 2800,PIX 515E for internet access

                  What do you see on the PIX if you type "sho int e0" ?
                  Is there a link light on it?
                  cheers
                  Andy

                  Please read this before you post:


                  Quis custodiet ipsos custodes?

                  Comment


                  • #10
                    Re: Configuring cisco 2800,PIX 515E for internet access

                    The link light is on. a show int e0 comes up with the following

                    show int e0
                    interface ethernet0 "outside" is up, line protocol is up
                    Hardware is i82559 ethernet, address is 001e.1347.f4a7
                    IP address *.*.*.115, subnet mask 255.255.255.248
                    MTU 1500 bytes, BW 100000 Kbit full duplex
                    6 packets input, 360 bytes, 0 no buffer
                    Received 6 broadcasts, 0 runts, 0 giants
                    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
                    31 packets output, 1860 bytes, 0 underruns
                    0 output errors, 0 collisions, 0 interface resets
                    0 babbles, 0 late collisions, 0 deferred
                    0 lost carrier, 0 no carrier
                    input queue (curr/max blocks): hardware (128/12 software (0/1)
                    output queue (curr/max blocks): hardware (0/1) software (0/1)

                    Comment


                    • #11
                      Re: Configuring cisco 2800,PIX 515E for internet access

                      Hmm, sorry just been very silly. I didn't read your post fully.

                      Originally posted by awoyoo View Post
                      Just a quick one, is the connection below correct?

                      PIX-78.138.15.115 (outside)----Crossover---172.16.11.2(inside)ROUTER
                      This will never work. The PIX outside is on a different subnet to the routers inside.

                      Can you even get rid of your router so it is just PIX to modem, depending on the device?
                      cheers
                      Andy

                      Please read this before you post:


                      Quis custodiet ipsos custodes?

                      Comment


                      • #12
                        Re: Configuring cisco 2800,PIX 515E for internet access

                        so if i change the PIX outside to 172.16.11.9, i should say that it will work. is that right? i think i have to change the connection to read

                        Router---Pix--- Modem

                        i am thinking that way because i will later on configure VPN client and VPN tunnel later on. Just want to know if that connection will work later on for the VPN configuration. i will have the changes to the Pix outside and see how it goes. will give you a feedback soon.

                        Comment


                        • #13
                          Re: Configuring cisco 2800,PIX 515E for internet access

                          it PIx nor Router is not allowing me to change the ip to 172.16.11.9 (on the pix outside) or *.*.*.118 (on the router inside). i am very confuse now.

                          Comment


                          • #14
                            Re: Configuring cisco 2800,PIX 515E for internet access

                            This is getting into a bit of mess!

                            I don't know how your "modem" connects. You may not need the router at all. What happens if you plug the modem into e0 on the PIX? Can you ping the modems IP address?
                            cheers
                            Andy

                            Please read this before you post:


                            Quis custodiet ipsos custodes?

                            Comment


                            • #15
                              Re: Configuring cisco 2800,PIX 515E for internet access

                              please provide me the topology of ur setup

                              From the system in LAN to ISP.

                              Cheers
                              DT

                              Comment

                              Working...
                              X