Pix 506E configuration for a newbie

Discussion in 'Cisco' started by ebabin, Feb 2, 2005.

  1. ebabin

    ebabin Guest

    Can anyone point me to some "easily understandable" directions to
    configure this PIX? Simple task -- build a firewall for my inside LAN
    (no VPN). So far I've got the PIX providing DHCP services to my inside
    LAN and the outside interface receives its IP address from a cable
    modem.

    Problem is, I can't get from the inside to the outside. I'm sure it's a
    routing problem, but the command line interface syntax is different
    from the routers I've used in the past, so even to modify the route I
    get an error.

    sho route
    outside 0.0.0.0 0.0.0.0 69.26.119.1 1 DHCP static
    outside 69.26.119.0 255.255.255.0 69.26.119.53 1 CONNECT static
    inside 192.168.0.0 255.255.255.0 192.168.0.10 1 CONNECT static
     
    ebabin, Feb 2, 2005
    #1
    1. Advertisements

  2. :Can anyone point me to some "easily understandable" directions to
    :configure this PIX? Simple task -- build a firewall for my inside LAN
    :(no VPN). So far I've got the PIX providing DHCP services to my inside
    :LAN and the outside interface receives its IP address from a cable
    :modem.

    Factory default settings on the 506E have all of that except perhaps
    the DHCP service to the inside LAN.

    :problem is, I can't get from the inside to the outside. I'm sure it's a
    :routing problem,

    My speculation would be that you are missing a 'global' statement.

    :inside 192.168.0.0 255.255.255.0 192.168.0.10 1 CONNECT static


    ip address inside 192.168.0.1 255.255.255.0
    ip address outside dhcp setroute
    ip local pool MyDHCPPool 192.168.0.16-192.168.0.240
    nat (inside) 1 192.168.0.0 255.255.255.0 0 0
    global (outside) 1 interface

    That and the dhcpd settings are about all you need.
     
    Walter Roberson, Feb 2, 2005
    #2
    1. Advertisements

  3. ebabin

    ebabin Guest

    To no avail. All but the nat entries were already in my running config
    as now I have the following (including 2 nat entries):

    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    ip address outside dhcp setroute
    ip address inside 192.168.0.10 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 192.168.0.0 255.255.255.0 0 0
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    http server enable
    http 192.168.0.0 255.255.255.0 inside
    dhcpd address 192.168.0.100-192.168.0.200 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd enable inside
     
    ebabin, Feb 2, 2005
    #3
  4. :To no avail. All but the nat entries were already in my running config
    :as now I have the following (including 2 nat entries):

    :pIX Version 6.3(1)

    Known security problem in that version, known nasty bug in the
    next, known security problem in the one after that... so best upgrade
    to 6.3(4).

    The rest of your configuation looks okay. Try traceroute (or
    tracert) to somewhere, by IP if need be.

    Also, you mentioned cable modem: some cable modem companies lock
    down by MAC address. For some the cure is as simple as power-cycling
    the cable modem; for others, you have to ask them to change the MAC.

    I suggest you turn on logging, up to level 6, such as

    logging buffered 6

    and then start a connection and then "show log". That should give
    you a better idea of where the problem is.
     
    Walter Roberson, Feb 2, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.