Configuring a Pix 506e with a 1720 router and static ip dsl.

Posted on 2005-05-08
Last Modified: 2013-11-16
hello I need someone to walk me through fixing this configuration and possibly making any recommendations that would make this a better setup.  I have a 1720 router with 2 1wic-enet cards, I have 4 static ip's from my isp, and a pix 506e that I would like to get running.  The configs for both are below.  My ip range is   I can currently ping the gateway from the 1720 but I cannot ping or 33 which are my dns servers.  I can ping my pix.  The setup currently is outside 1720 inside, outside pix, inside pix, I also have a 1900 and 2820 switch.  All of this is for learning purposes.  I am very new to this so will need walking through it.  Please don't assume I know a common step.  I will be on tomorrow sometime afternoon to pick this up I have been working on it all night.  I don't think this will be all that difficult but because of the patience involved this is worth 500 pts to me for the learning experience.

PIX Config
sh run
: Saved
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
<--- More --->
access-list inside_outbound_nat0_acl permit ip interface inside
access-list inside_outbound_nat0_acl permit ip interface inside
access-list outside_cryptomap_dyn_20 permit ip any
access-list outside_cryptomap_dyn_40 permit ip any
access-list outside_access_in permit icmp interface outside host
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn
pdm location outside
pdm location inside
pdm location inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
<--- More --->
nat (inside) 1 0 0
static (inside,outside) dns netmask 0 0
access-group outside_access_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside pix.bin
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
<--- More --->
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400
vpngroup csc address-pool vpn
vpngroup csc dns-server
vpngroup csc idle-time 1800
vpngroup csc password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd dns
dhcpd lease 3600
dhcpd ping_timeout 750
<--- More --->
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
: end


1720 router config
CSCR1#sh run
Building configuration...

Current configuration : 1090 bytes
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec

hostname CSCR1

memory-size iomem 25
no aaa new-model
ip subnet-zero
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
 --More--         !
interface Ethernet0
 ip address
 no cdp enable
interface Ethernet1
 no ip address
 no cdp enable
interface FastEthernet0
 ip address
 speed auto
 no cdp enable
 --More--         !
ip default-gateway
ip classless
ip route
ip route
ip route
no ip http server
no ip http secure-server
dialer-list 1 protocol ip permit
snmp-server community  RO
snmp-server community public RO
snmp-server enable traps tty
no cdp run
line con 0
line aux 0
line vty 0 4
 --More--         !

Question by:acicalla
    LVL 79

    Accepted Solution

    First thing you need is a default route statement on the 1721, not default-gateway command:
      no ip default-gateway
      ip route
    Remove these. You never want to add static routes for directly connected networks..
    no ip route
    no ip route

    Next problem is that you're trying to assign the same subnet to both the Ethernet 0 and Fastethernet 0 interfaces:
    interface Ethernet0
     ip address
    interface FastEthernet0                         |---- no can do, my friend...
     ip address

    Personal opinion only here - take the 1700 out completely -- You simply don't need it with an internet feed from the ISP..
    Keep the PIX config just like it is, but add this line:
      route outside

    LVL 79

    Expert Comment

    Forgot something...

    >Keep the PIX config just like it is, but add this line:
    >  route outside

    And, unplug the Internet feed from the 1720, power off the 1720, and plug the Internet feed directly into the PIX Eth0 outside interface..


    Author Comment

    Sweet this is working, I have an addition question on adding back in a linksys router for wireless access but I will post that in another question to keep the database clean. Thanks for the help!!!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
    Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now