?
Solved

Cisco 831 Router Question

Posted on 2005-04-11
22
Medium Priority
?
251 Views
Last Modified: 2010-04-17
We have a Cisco 831 Ethernet Broadband Router and a Cisco PIX 506E Firewall. I was trying to set these up yesterday and ran into an issue. The router forces you to enter a different subnet for the 4-port switch it has on it. I want to connect this directly into the firewall and have the outside Interface of the firewall be on the same network as the WAN address. So, I want to plug an Ethernet cable into the switch on the router and the outside interface of the PIX and, for example, if the WAN address is 12.99.23.151, I want the PIX outside interface to be 12.99.23.150

How can I disable this feature of the router so that I can do this, or is it even possible with this router? The PIX is a much better security applicance so of course I want to have this connected.
0
Comment
Question by:patrickmulcahy
  • 10
  • 9
  • 2
  • +1
22 Comments
 
LVL 11

Expert Comment

by:-Leo-
ID: 13754787
Of course you should have router interfaces on the different subnets - otherwise you don't need a router!

Can you define your goals and needs ? How many PC's in your network ? Maybe you don't need a router and PIX will be enough for your network protection ? I woudl suggest you following scheme (if you won't use a router):

 LAN--PIX--Internet but not LAN--PIX--Cisco831--internet
0
 

Author Comment

by:patrickmulcahy
ID: 13754870
I tried using just the PIX without a router but we could never get it working. What would be the configuration on the PIX for it to act as a router? Our settings
are:

12.99.23.129 (DNS Server and Default Gateway - given to us by our ISP)
12.99.23.150 (IP I've setup as the PIX outside interface)
192.168.1.1 (PIX Inside interface)
0
 

Author Comment

by:patrickmulcahy
ID: 13754945
20 PCs and growing. We need lots of security as we are a medical device r&d corporation.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:patrickmulcahy
ID: 13755001
Also, we have an Exchange server that has a private address 192.168.1.4 that we will be taking online this week. We need to have the router/firewall forward all requests for Exchange to this address. And the problem keeps growing.
0
 

Expert Comment

by:jeff221
ID: 13755022
Are you trying to do this:

INTERNET -> (Public IP Interface1) Cisco 831 (Public IP Interface2) -> (Public IP Interface1) Pix 506e (Private IP Interface2) -> LAN

Or like this:

INTERNET -> (Public IP Interface1) Cisco 831 (Private IP Interface2) -> LAN1
INTERNET -> (Public IP Interface2) Pix 506e (Private IP Interface2) -> LAN1
0
 
LVL 11

Accepted Solution

by:
-Leo- earned 2000 total points
ID: 13755025
Just add default route to your PIX:
route outside 0.0.0.0 0.0.0.0 12.99.23.129 1

What do you mean 'act as a router' by the way ? You want to route your traffic to the internet ?
You should configure NAT on the PIX so your PC's can access internet ...
0
 

Expert Comment

by:jeff221
ID: 13755031
Ignore the above, check this again:

Are you trying to do this:

INTERNET -> (Public IP Interface1) Cisco 831 (Public IP Interface2) -> (Public IP Interface1) Pix 506e (Private IP Interface2) -> LAN

Or like this:

INTERNET -> (Public IP Interface1) Cisco 831 (Private IP Interface2) -> LAN1
INTERNET -> (Public IP Interface1) Pix 506e (Private IP Interface2) -> LAN1
0
 
LVL 11

Expert Comment

by:-Leo-
ID: 13755060
If you have an Exchange Server, I would suggest you to obtain additional IP addresses from your ISP and translate them statically to your Exchange:

static (inside,outside) 192.168.1.4 <external IP address> netmask 255.255.255.255 0 0

Also, you will need at least one address for NAT.  One more: where your DNS will be hosted ? At your own LAN or at providers ?
0
 

Author Comment

by:patrickmulcahy
ID: 13755061
>route outside 0.0.0.0 0.0.0.0 12.99.23.129 1

We tired this already. Didn't work.
We already have NAT configured on the PIX
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13755070
You have to put the router into bridge mode so that the WAN interface and the LAN interface are the same. Then you can use a crossover cable between the router and the PIX outside interface.

http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_guide_chapter09186a0080118d24.html

I caution you to rethink using 192.168.1.x on the inside. Why? Because that is the same IP subnet that 80% of the home market has on their home IP subnet on broadband, as well as thousands of businesses that take the default config out of the box. What's wrong with that? If you ever plan to use the VPN capabilities of the PIX, and want to VPN in from home, then you have the same IP subnet on both sides of the VPN. It simply does not work. Start out with a future-thinking configuration and use something a bit more obscure in the private IP space, like 192.168.189.x
Just my $0.02 from experience...
0
 

Author Comment

by:patrickmulcahy
ID: 13755078
The exchange server is also our DNS server for the AD (I have a forwarder added to it of 12.99.23.129 - the DNS server of our ISP).
0
 
LVL 11

Expert Comment

by:-Leo-
ID: 13755085
Can you ping outside world from the PIX ?
Can you ping PIX from the LAN ?
How your PC's accepting IP addresses ? DHCP ? Where is DHCP server ?
Can you post PIX config here ?
0
 
LVL 11

Expert Comment

by:-Leo-
ID: 13755142
Do you have MX records in the DNS for your mail server ? What IP addresses they have ?
0
 

Author Comment

by:patrickmulcahy
ID: 13755343
Here's the old config I was trying on the PIX that didn't work. That's why I bought a router also.
http://www.experts-exchange.com/Hardware/Routers/Q_21376260.html 
0
 
LVL 11

Expert Comment

by:-Leo-
ID: 13755401
I would suggest you to remove all access-lists and leave only permit ip any any in the outbound interfeace, troubleshoot your connection and then work on security ...
Can you answer my questions in the previous messages ?
Also, waht default gateway you have on your PC's ? It should be PIX internal address ...
0
 

Author Comment

by:patrickmulcahy
ID: 13755487
Couldn't ping from the PIX
Can ping the PIX from the LAN
DHCP is handled by the 192.168.1.4 server (same one Exchange and DNS are on)

The default gateway is the PIX internal interface.

I used the new router and it worked fine (without using the PIX also) so why don't I just use the router (it has a built-in firewall afterall). I can then use the PIX to separate internal networks (for instance, we will be splitting the lab into a separate network for security reasons). I don't want to bother with having both anymore as it seems to be a big hassle.

Do any of you know how to setup port forwarding on the router?
0
 

Author Comment

by:patrickmulcahy
ID: 13755646
Or i'll just have to do NAT twice.

Router (166.127.202.150) -> 10.0.0.1 -> PIX OUTSIDE (10.0.0.2) -> PIX INSIDE (192.168.1.1)
0
 
LVL 11

Expert Comment

by:-Leo-
ID: 13755653
Ok, so, first you have to establish proper communication PIX-internet, then work on other stuff.

Can you remove all access lists on the PIX and leave only " permit ip any any" in the outbound interface ?

I have same PIX working fine ...
0
 

Author Comment

by:patrickmulcahy
ID: 13755673
I'll give it a shot tonight.
0
 
LVL 11

Expert Comment

by:-Leo-
ID: 13755727
It is not very good idea to do NAT twice (in your case) - actually, just waste of time and equipment ...
Try to work on your PIX, right config should be easy: just leave access list "permit ip any any" (by default your outside interface will not pass any packets) When you'll establish ping PIX->internet, you can work on NAT and other stuff ...
0
 

Author Comment

by:patrickmulcahy
ID: 13756111
Don't I have to permit icmp packets as well (if I want to be able to ping)? So, shouldn't it look like this:

access-list outbound permit ip any any
access-list outbound permit icmp any any
0
 
LVL 11

Expert Comment

by:-Leo-
ID: 13759704
Yes, but for the beginning, just open ALL ports, to see if it will work and then you can create your security policy!
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question