«

Hi,

My network was:

DSL Modem --- Pix501 --- internal

My Pix outside interface got the IP dynamically with the ip address
outside dhcp setroute command. This worked fine.

I recently switched to Comcast because my DSL speed wasn't cutting
it. So now my network looks like

Cable Modem (Motorola SB5120) ---- Pix501 --- internal.

However, my Pix is NOT getting an ip address. If I hook the cable
modem directly up to my laptop, I pull a public IP from comcast just
fine. However, it does not ever make it to the Pix.

Has anyone had any experience with this? Here is my Pix501 config:


# sh run
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password RjxwMfnaOAPiNqIq encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname
domain-name westlandrdc.mi.mich.comcast.net
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list allow_inside_traffic permit ip any any
access-list VPN_ACL permit ip SCRUBBED
access-list NO_NAT permit ip SCRUBBED
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 5
ip address inside INTERNAL_IP_RANGE
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_pool VPN_POOL_RANGE
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 INTERNAL_RANGE
access-group VPN_ACL in interface outside
access-group allow_inside_traffic in interface inside
rip outside default version 2
rip inside default version 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server radius-authport 1812
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host SCRUBBED
aaa-server LOCAL protocol local
aaa-server AuthVPN protocol radius
aaa-server AuthVPN (inside) host SCRUBBED
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set
crypto dynamic-map dynmap
crypto map IPSec_Map
crypto map IPSec_Map
crypto map IPSec_Map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup DfltGrpPolicy idle-time 1800
vpngroup HolleranVPN address-pool vpn_pool
vpngroup HolleranVPN idle-time 1800
vpngroup HolleranVPN password ********
vpngroup acl-vpn split-tunnel VPN_ACL
vpngroup acl-vpn idle-time 1800

console timeout 0
username password encrypted privilege 2
terminal width 80
Cryptochecksum:9c0f5f277fe4d070bacdbdefb54fb9e3
: end

On May 28, 2:57*pm, KDawg44 <kdaw...@gmail.com> wrote:
> Hi,
>
> My network was:
>
> DSL Modem --- Pix501 --- internal
>
> My Pix outside interface got the IP dynamically with the ip address
> outside dhcp setroute command. *This worked fine.
>
> I recently switched to Comcast because my DSL speed wasn't cutting
> it. *So now my network looks like
>
> Cable Modem (Motorola SB5120) ---- Pix501 --- internal.
>
> However, my Pix is NOT getting an ip address. *If I hook the cable
> modem directly up to my laptop, I pull a public IP from comcast just
> fine. *However, it does not ever make it to the Pix.
>
> Has anyone had any experience with this? *Here is my Pix501 config:
>
> # sh run
> : Saved
> :
> PIX Version 6.3(1)
> interface ethernet0 auto
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password RjxwMfnaOAPiNqIq encrypted
> passwd 2KFQnbNIdI.2KYOU encrypted
> hostname
> domain-name westlandrdc.mi.mich.comcast.net
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> names
> access-list allow_inside_traffic permit ip any any
> access-list VPN_ACL permit ip SCRUBBED
> access-list NO_NAT permit ip SCRUBBED
> pager lines 24
> mtu outside 1500
> mtu inside 1500
> ip address outside dhcp setroute retry 5
> ip address inside INTERNAL_IP_RANGE
> ip audit info action alarm
> ip audit attack action alarm
> ip local pool vpn_pool VPN_POOL_RANGE
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 1 INTERNAL_RANGE
> access-group VPN_ACL in interface outside
> access-group allow_inside_traffic in interface inside
> rip outside default version 2
> rip inside default version 2
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server radius-authport 1812
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server RADIUS (inside) host SCRUBBED
> aaa-server LOCAL protocol local
> aaa-server AuthVPN protocol radius
> aaa-server AuthVPN (inside) host SCRUBBED
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> crypto ipsec transform-set
> crypto dynamic-map dynmap
> crypto map IPSec_Map
> crypto map IPSec_Map
> crypto map IPSec_Map interface outside
> isakmp enable outside
> isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
> isakmp nat-traversal 20
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption aes-256
> isakmp policy 10 hash sha
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 86400
> vpngroup DfltGrpPolicy idle-time 1800
> vpngroup HolleranVPN address-pool vpn_pool
> vpngroup HolleranVPN idle-time 1800
> vpngroup HolleranVPN password ********
> vpngroup acl-vpn split-tunnel VPN_ACL
> vpngroup acl-vpn idle-time 1800
>
> console timeout 0
> username *password *encrypted privilege 2
> terminal width 80
> Cryptochecksum:9c0f5f277fe4d070bacdbdefb54fb9e3
> : end

On top of that, now I just re-entered the ip address outside dhcp
setroute command and it grabbed an IP address.... of my old DSL line
which is not hooked up! (completely turned off, disconnected, no
cables to the equipment at all...). This is NOT a comcast IP
address.... could the PIX be caching something? Is there a way to
clear some kind of cache on the PIX? Like I said before, if I hook my
laptop directly up to the cable modem, I get the comcast public IP on
their network (a 68.40.132. address), now suddenly the PIX either gets
nothing or it is showing a 71.205.216.140 address, which looks just
like my old DSL addresses from AT&T.

Someone help me as I am stuck here....

Thanks.

Kevin

On May 28, 3:32*pm, KDawg44 <kdaw...@gmail.com> wrote:
> On May 28, 2:57*pm, KDawg44 <kdaw...@gmail.com> wrote:
>
>
>
>
>
>
>
>
>
> > Hi,
>
> > My network was:
>
> > DSL Modem --- Pix501 --- internal
>
> > My Pix outside interface got the IP dynamically with the ip address
> > outside dhcp setroute command. *This worked fine.
>
> > I recently switched to Comcast because my DSL speed wasn't cutting
> > it. *So now my network looks like
>
> > Cable Modem (Motorola SB5120) ---- Pix501 --- internal.
>
> > However, my Pix is NOT getting an ip address. *If I hook the cable
> > modem directly up to my laptop, I pull a public IP from comcast just
> > fine. *However, it does not ever make it to the Pix.
>
> > Has anyone had any experience with this? *Here is my Pix501 config:
>
> > # sh run
> > : Saved
> > :
> > PIX Version 6.3(1)
> > interface ethernet0 auto
> > interface ethernet1 100full
> > nameif ethernet0 outside security0
> > nameif ethernet1 inside security100
> > enable password RjxwMfnaOAPiNqIq encrypted
> > passwd 2KFQnbNIdI.2KYOU encrypted
> > hostname
> > domain-name westlandrdc.mi.mich.comcast.net
> > fixup protocol ftp 21
> > fixup protocol h323 h225 1720
> > fixup protocol h323 ras 1718-1719
> > fixup protocol http 80
> > fixup protocol ils 389
> > fixup protocol rsh 514
> > fixup protocol rtsp 554
> > fixup protocol sip 5060
> > fixup protocol sip udp 5060
> > fixup protocol skinny 2000
> > fixup protocol smtp 25
> > fixup protocol sqlnet 1521
> > names
> > access-list allow_inside_traffic permit ip any any
> > access-list VPN_ACL permit ip SCRUBBED
> > access-list NO_NAT permit ip SCRUBBED
> > pager lines 24
> > mtu outside 1500
> > mtu inside 1500
> > ip address outside dhcp setroute retry 5
> > ip address inside INTERNAL_IP_RANGE
> > ip audit info action alarm
> > ip audit attack action alarm
> > ip local pool vpn_pool VPN_POOL_RANGE
> > pdm history enable
> > arp timeout 14400
> > global (outside) 1 interface
> > nat (inside) 1 INTERNAL_RANGE
> > access-group VPN_ACL in interface outside
> > access-group allow_inside_traffic in interface inside
> > rip outside default version 2
> > rip inside default version 2
> > timeout xlate 3:00:00
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> > 1:00:00
> > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> > timeout uauth 0:05:00 absolute
> > aaa-server radius-authport 1812
> > aaa-server TACACS+ protocol tacacs+
> > aaa-server RADIUS protocol radius
> > aaa-server RADIUS (inside) host SCRUBBED
> > aaa-server LOCAL protocol local
> > aaa-server AuthVPN protocol radius
> > aaa-server AuthVPN (inside) host SCRUBBED
> > no snmp-server location
> > no snmp-server contact
> > snmp-server community public
> > no snmp-server enable traps
> > floodguard enable
> > sysopt connection permit-ipsec
> > crypto ipsec transform-set
> > crypto dynamic-map dynmap
> > crypto map IPSec_Map
> > crypto map IPSec_Map
> > crypto map IPSec_Map interface outside
> > isakmp enable outside
> > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
> > isakmp nat-traversal 20
> > isakmp policy 10 authentication pre-share
> > isakmp policy 10 encryption aes-256
> > isakmp policy 10 hash sha
> > isakmp policy 10 group 2
> > isakmp policy 10 lifetime 86400
> > vpngroup DfltGrpPolicy idle-time 1800
> > vpngroup HolleranVPN address-pool vpn_pool
> > vpngroup HolleranVPN idle-time 1800
> > vpngroup HolleranVPN password ********
> > vpngroup acl-vpn split-tunnel VPN_ACL
> > vpngroup acl-vpn idle-time 1800
>
> > console timeout 0
> > username *password *encrypted privilege 2
> > terminal width 80
> > Cryptochecksum:9c0f5f277fe4d070bacdbdefb54fb9e3
> > : end
>
> On top of that, now I just re-entered the ip address outside dhcp
> setroute command and it grabbed an IP address.... *of my old DSL line
> which is not hooked up! *(completely turned off, disconnected, no
> cables to the equipment at all...). *This is NOT a comcast IP
> address.... could the PIX be caching something? *Is there a way to
> clear some kind of cache on the PIX? *Like I said before, if I hook my
> laptop directly up to the cable modem, I get the comcast public IP on
> their network (a 68.40.132. address), now suddenly the PIX either gets
> nothing or it is showing a 71.205.216.140 address, which looks just
> like my old DSL addresses from AT&T.
>
> Someone help me as I am stuck here....
>
> Thanks.
>
> Kevin

OK, so I read some stuff about Comcast & the cable modem caching the
MAC address of the unit for the DHCP address. So basically, when the
guy hooked my laptop up directly to the cable modem on install of the
service to test, it recorded that MAC and will not allow another MAC
(say, a PIX) to receive an address for X amount of time.... Has anyone
else heard of this?

Thanks.

Kevin

On May 28, 3:58*pm, KDawg44 <kdaw...@gmail.com> wrote:
> On May 28, 3:32*pm, KDawg44 <kdaw...@gmail.com> wrote:
>
>
>
>
>
>
>
>
>
> > On May 28, 2:57*pm, KDawg44 <kdaw...@gmail.com> wrote:
>
> > > Hi,
>
> > > My network was:
>
> > > DSL Modem --- Pix501 --- internal
>
> > > My Pix outside interface got the IP dynamically with the ip address
> > > outside dhcp setroute command. *This worked fine.
>
> > > I recently switched to Comcast because my DSL speed wasn't cutting
> > > it. *So now my network looks like
>
> > > Cable Modem (Motorola SB5120) ---- Pix501 --- internal.
>
> > > However, my Pix is NOT getting an ip address. *If I hook the cable
> > > modem directly up to my laptop, I pull a public IP from comcast just
> > > fine. *However, it does not ever make it to the Pix.
>
> > > Has anyone had any experience with this? *Here is my Pix501 config:
>
> > > # sh run
> > > : Saved
> > > :
> > > PIX Version 6.3(1)
> > > interface ethernet0 auto
> > > interface ethernet1 100full
> > > nameif ethernet0 outside security0
> > > nameif ethernet1 inside security100
> > > enable password RjxwMfnaOAPiNqIq encrypted
> > > passwd 2KFQnbNIdI.2KYOU encrypted
> > > hostname
> > > domain-name westlandrdc.mi.mich.comcast.net
> > > fixup protocol ftp 21
> > > fixup protocol h323 h225 1720
> > > fixup protocol h323 ras 1718-1719
> > > fixup protocol http 80
> > > fixup protocol ils 389
> > > fixup protocol rsh 514
> > > fixup protocol rtsp 554
> > > fixup protocol sip 5060
> > > fixup protocol sip udp 5060
> > > fixup protocol skinny 2000
> > > fixup protocol smtp 25
> > > fixup protocol sqlnet 1521
> > > names
> > > access-list allow_inside_traffic permit ip any any
> > > access-list VPN_ACL permit ip SCRUBBED
> > > access-list NO_NAT permit ip SCRUBBED
> > > pager lines 24
> > > mtu outside 1500
> > > mtu inside 1500
> > > ip address outside dhcp setroute retry 5
> > > ip address inside INTERNAL_IP_RANGE
> > > ip audit info action alarm
> > > ip audit attack action alarm
> > > ip local pool vpn_pool VPN_POOL_RANGE
> > > pdm history enable
> > > arp timeout 14400
> > > global (outside) 1 interface
> > > nat (inside) 1 INTERNAL_RANGE
> > > access-group VPN_ACL in interface outside
> > > access-group allow_inside_traffic in interface inside
> > > rip outside default version 2
> > > rip inside default version 2
> > > timeout xlate 3:00:00
> > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> > > 1:00:00
> > > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> > > timeout uauth 0:05:00 absolute
> > > aaa-server radius-authport 1812
> > > aaa-server TACACS+ protocol tacacs+
> > > aaa-server RADIUS protocol radius
> > > aaa-server RADIUS (inside) host SCRUBBED
> > > aaa-server LOCAL protocol local
> > > aaa-server AuthVPN protocol radius
> > > aaa-server AuthVPN (inside) host SCRUBBED
> > > no snmp-server location
> > > no snmp-server contact
> > > snmp-server community public
> > > no snmp-server enable traps
> > > floodguard enable
> > > sysopt connection permit-ipsec
> > > crypto ipsec transform-set
> > > crypto dynamic-map dynmap
> > > crypto map IPSec_Map
> > > crypto map IPSec_Map
> > > crypto map IPSec_Map interface outside
> > > isakmp enable outside
> > > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
> > > isakmp nat-traversal 20
> > > isakmp policy 10 authentication pre-share
> > > isakmp policy 10 encryption aes-256
> > > isakmp policy 10 hash sha
> > > isakmp policy 10 group 2
> > > isakmp policy 10 lifetime 86400
> > > vpngroup DfltGrpPolicy idle-time 1800
> > > vpngroup HolleranVPN address-pool vpn_pool
> > > vpngroup HolleranVPN idle-time 1800
> > > vpngroup HolleranVPN password ********
> > > vpngroup acl-vpn split-tunnel VPN_ACL
> > > vpngroup acl-vpn idle-time 1800
>
> > > console timeout 0
> > > username *password *encrypted privilege 2
> > > terminal width 80
> > > Cryptochecksum:9c0f5f277fe4d070bacdbdefb54fb9e3
> > > : end
>
> > On top of that, now I just re-entered the ip address outside dhcp
> > setroute command and it grabbed an IP address.... *of my old DSL line
> > which is not hooked up! *(completely turned off, disconnected, no
> > cables to the equipment at all...). *This is NOT a comcast IP
> > address.... could the PIX be caching something? *Is there a way to
> > clear some kind of cache on the PIX? *Like I said before, if I hook my
> > laptop directly up to the cable modem, I get the comcast public IP on
> > their network (a 68.40.132. address), now suddenly the PIX either gets
> > nothing or it is showing a 71.205.216.140 address, which looks just
> > like my old DSL addresses from AT&T.
>
> > Someone help me as I am stuck here....
>
> > Thanks.
>
> > Kevin
>
> OK, so I read some stuff about Comcast & the cable modem caching the
> MAC address of the unit for the DHCP address. *So basically, when the
> guy hooked my laptop up directly to the cable modem on install of the
> service to test, it recorded that MAC and will not allow another MAC
> (say, a PIX) to receive an address for X amount of time.... Has anyone
> else heard of this?
>
> Thanks.
>
> Kevin

OK, all is well now, though I am not 100% sure why but a few more
reboots of the cable modem, then rebooting my DNS/DHCP server did the
trick...