We help IT Professionals succeed at work.

Basic setup questions for a Cisco PIX 501 6.3(5) connecting to a CableModem

Intruder_3 asked
Medium Priority
Last Modified: 2010-04-17

I just bought a new Cisco PIX 501 Firewall 6.3(5). My only problem is that I don't know how to configure it. I bought so I can learn how to use it, but the Cisco PDF document is only helpful if you know what you're looking for and understand its language. Hopefully, Expert Exchange Member can help me with a few questions that I have.

Diagram:  LAN -----> PIX ------> Cable Modem, no static --------> WWW.

1. How do allow Internal Hosts access to the Internet?
2. How do I configure my Outside Interface to obtain an IP Address? I tried setting up PPPoE, but that didn't work for me to well.
3. I don't see an IP Address for Outside Interface, why?
4. Do I need to setup NAT and PAT to allow internal host access to the Internet?
5. What good books or websites can I go learn more about configuring Cisco PIX firewall? Note: I do have login access to Cisco's website, thanks to a company that I work who has a partnership with Cisco.
6. Do I need to secure my firewall or is it configured for me by default?
Watch Question

Wow, that is a lot of questions in there. Just launch www.cisco.com and type it the question you have in mind and search it.

1. First you have to put the cable modem in the bridged mode so that your PIX outside interface gets the dhcp address from ISP.

2. ip address dhcp setroute  => This will tell the pix to obtain ip address from the ISP and use ISP's default route.

3. NAT or PAT in your situation;

nat (inside) 1
global (outside) 1 interface

=> The commands above says that all the internal traffic that leaves from the lan to internet should get natted to the Outside Interface address (Which is Public IP obtained from ISP)

By default, your pix allow all the outbound connections but doesn't allow any inbound connections, except you configure it specifically. Seems like you don't need any so that should be it. If you want to allow ping (ICMP) both ways, you can do the below;

icmp permit any any  

That should be it.



Thanks, for the info.

I did go to Cisco's website, but those examples are little too advanced for me now. I just don't understand why my pix is not picking up an ip address.

The modem i have is a Motorola SB5101 from EarthLink/TimeWarner. Not sure how to setup for bridgemode. There are not settings on the modem to do that.

Cyclops3590Sr Software Engineer

most of it is done by default.  however, if you want to make sure after you get into global mode just type
configure factory-default
and it will reset everything.  also don't forget to use "write mem" if you change anything that you want to save.

Also for number two, Rajesh, I believe it should be
ip address outside dhcp setroute
the interface needs to be specified

When I started learning pixes a little while ago I personally found the cisco press certification books the best.  At least for me if I want to learn something fast I always pick up the cert book.  It cuts to the chase and tells you what you want to know.  Cisco Press has a lot of books about the ASA and PIX line.  The two I found most helpful were the CCSP cisco book covering the pix test (2nd edition book; 3rd edition covers version 7.X) and the ASA and PIX Firewall Handbook.

Also, keep asking here.  Rajesh was a big help in pointing me in the right direction several times.
Sr Software Engineer
did you unplug the power on your modem, leave it for about half a minute then plug it back in.  cable modem sometimes need a power cycle when being swapped between devices with different mac addresses

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
did you see my comment on your other question?  http://www.experts-exchange.com/Programming/Q_21800494.html

BTW, it is generally accepted practice to post one question and the other clearly marked as a pointer with only 20 pts
Cyclops has a good point, did you have a computer attached to your modem before the PIX?  My DSL provider requires me to call them to reset the MAC address if I change the router.
Oh yeah, I missed the interface part from the command there :-) Thnx for catching that Cyclops...



Yup, that did it Cyclops3590.

I ran command " ip address outside dhcp setroute" , "debug dhcp packets", I then notice the outside interface was broadcasting for ip address, but no reply from modem, i then power recycled the modem and then the pix picked up an ip address.

thx...  now I just need to figure out "port forwarding". I will try to handle this on my own but if I can't you guys/gals will be see another question posted soon!.. Thx : )  
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.