Link to home
Get AccessLog in
Avatar of halcyone

asked on

Pix 501 Config Help - Test Basic Setup and connect to BT DSL


I have a pix 501E I want to configure to connect to a DSL connection via DHCP on the outside int and to network on the inside interface. I want to open everything so I can test connectivity and learn and test as I shut things down because I am new to this business  - and you guys are great....

So far my outside interface connected to DSL Gateway via a hub is not getting an IP
  - I cant ping between my inside interface and ( I only get echo replies)

- Why can my outside interface not get a DHCP address when my windown PC connected to the same hub can?
- Why can't I ping on my inside interface.

Thanks in advance

IANTRADING(config)# ping
12: ICMP echo reply (len 32 id 9233 seq 0) >
        113: ICMP echo reply (len 32 id 9233 seq 1) > response received -- 0ms
        114: ICMP echo reply (len 32 id 9233 seq 2) > response received -- 0ms response received -- 0ms
IANTRADING(config)# wr t
Building configuration...
: Saved
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ouGHk7Yho3Yj78Im encrypted
passwd ouGHk7Yho3Yj78Im encrypted
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
access-list IAN permit icmp any any
access-list IAN permit tcp any any eq 2823
access-list IAN permit tcp any any eq 2824
access-list IAN permit tcp any any eq www
access-list IAN permit udp any any eq domain
access-list IAN permit udp any any eq 9005
access-list IAN permit tcp any any eq 9005
access-list IAN permit tcp any any eq 8105
access-list IAN permit udp any any eq 8100
access-list acl_out permit icmp any any
pager lines 22
interface ethernet0 10full
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
access-group acl_out in interface outside
access-group IAN in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 s0
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
no sysopt route dnat
telnet inside
telnet timeout 10
ssh timeout 5
dhcpd ping_timeout 750
terminal width 80
: end
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
This content is only available to members.
To access this content, you must be a member of Experts Exchange.
Get Access
Avatar of billwharton

I would like to know if you are able to get an IP address on the PIX outside interface in the first place.

Try this command:
show ip

If you see the outside interface has received a valid IP address, then follow lrmoore's instructions. If you aren't able to get an IP address, then we'll troubleshoot it futther.
Avatar of halcyone


Thanks for the quick response. I am pinging ( now I know I was before too)

More NB. I am getting an outside IP from the DSL GW after rebooting it and the PIX ! Yay

-Why do I need to add the nat (inside) 1
I have a 2900 L2 Switch, a PIX with 2 int, and a 2600 router with two interfaces. I want to have two separate VLANS and internet coming in through DSL thru the pix on any of the VLANS or a separate one. Is there a way to do this with this equipment i.e. how do the hosts know where to go for internet and where to go for the other segment (rotuing statements) - Another option I am considering is to introduce an AP so that the DSL connects to the PIX, and the PIX to a AP/with routing functionality and each VLAN has a connection into the AP ? any ideas?

Thanks for your help so far, won't be long now.


You absolutely must have this, the PIX won't work without it..
  >nat (inside) 1
or this, to include "any" network on your inside:
   nat (inside) 1 0 0

We'll work on the VLAN topology (yes, it is doable) if you will open a new question. If your first problem has been solved, please close it out and open a new question for the VLANS. This keeps the threads to 1 issue, 1 resolution and makes for a cleaner, easier to search database. Thanks!
Thanks that was excellent. I will post another question regarding the Vlans thanks for your help