[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 601
  • Last Modified:

Replacing PIX 501 with PIX 515E

I have a DSL circuit with a static IP x.x.x.30 and a routable ip block of x.x.x.25-29. I have a PIX 501 6.3(4) plugged into the DSL modem (bridged PPPoE), which is all working fine. I’m replacing the 501 with a 515E 7.1(2) which, as I understand things, doesn’t support PPPoE. I’ve replaced the DSL modem, which did not allow me to set the PPPoE stuff on the modem, with one that does. The new modem connects and works fine as I’ve plugged a laptop into it and I’m able to get to the internet just fine. I’m not sure how to get the 501 working now that the PPPoE is done on the modem. My plan is to get the 501 config working with the new modem then load the 501’s config onto the 515E 7.1(2) and let it convert to the 7.1 format. This connection is only used by private 10.1.x.x’s for web browsing.

Here’s the 501’s config.

PIX 501 with old modem (bridged PPPoE)

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXX encrypted
passwd xxxxxxxxxxxxxx encrypted
hostname xxxxxxxxxxx
domain-name xxxxxxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 110 permit ip 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list 110 permit ip 10.1.2.0 255.255.255.0 10.1.4.0 255.255.255.0
access-list 100 permit ip 10.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list 120 permit ip 10.1.0.0 255.255.0.0 any
access-list 120 permit ip 10.99.0.0 255.255.0.0 any
pager lines 24
logging on
logging console debugging
logging monitor errors
logging buffered warnings
logging trap debugging
logging history debugging
logging host inside xxxxxxx
mtu outside 1500
mtu inside 1500

ip address inside 10.1.100.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool bigpool 192.168.1.1-192.168.1.254
pdm location 10.1.0.0 255.255.0.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 xx.xx.xx.26
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route inside 10.99.0.0 255.255.0.0 10.1.100.7 1
route inside 192.168.0.0 255.255.0.0 10.1.1.6 1
timeout xlate 3:00:00
timeout conn 59:59:00 half-closed 59:59:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
fig-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
ssh timeout 5
console timeout 0
vpdn group sbcdsl request dialout pppoe
vpdn group sbcdsl localname xxxxx@static.sbcglobal.net
vpdn group sbcdsl ppp authentication pap
vpdn username XXXXX@static.sbcglobal.net password *********
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:917049b06d952a75b764d232412013f1
: end

I’ve tried:
no vpdn group sbcdsl
no vpdn username XXXXX@static.sbcglobal.net
no ip address outside pppoe setroute

ip address outside x.x.x.26 255.255.255.248

Which didn’t work. Any ideas on how I can get this config to work with the non-bridged DSL modem?

TIA.
0
zvolts
Asked:
zvolts
  • 2
1 Solution
 
lrmooreCommented:
>The new modem connects and works fine as I’ve plugged a laptop into it and I’m able to get to the internet just fine
What IP address does your laptop get? Does it get a public or private IP address?

You can't just drop a 501 config into a new 515 with 712. It won't automagically convert. You'll have to start pretty much from scratch on the 515. Check out the new ASDM GUI vs the old PDM...

>ip address outside x.x.x.26 255.255.255.248
>Which didn’t work.
Did you also set the default route??
  route outside 0.0.0.0 0.0.0.0 x.x.x.30 <== 2x check the upstream gateway

On a side note, I see you have a potential routing issue with vpn clients...

>ip local pool bigpool 192.168.1.1-192.168.1.254
>route inside 192.168.0.0 255.255.0.0 10.1.1.6 1
*highly* suggest you pick something other than 192.168.1.x for your VPN clients. Why? Because this is absolutely the most-used IP subnet for soho routers and many hotels. Your clients will have problems eventually.


0
 
zvoltsAuthor Commented:
<The new modem connects and works fine as I’ve plugged a laptop into it and I’m able to get to the internet just fine
What IP address does your laptop get? Does it get a public or private IP address?>

The laptop got a private 192.168.x.x address. There's a setting on the new DSL modem to assign a private or public IP to its ethernet interface. The only way I could get the laptop to connection was with it set to private.

>ip address outside x.x.x.26 255.255.255.248
>Which didn’t work.
Did you also set the default route??
  route outside 0.0.0.0 0.0.0.0 x.x.x.30 <== 2x check the upstream gateway

Yes, I set a default route like above and was not able to ping the upstream gateway.

I'll be removing all the VPN settings, as they are no longer needed.

When I did a show interface 0 when connected to the old modem, the IP on that interface was x.x.x.30, the same as the DSL modem. Seemed kinda odd, but I'm guessing that has to do with the PPPoE bridging as it is working.....







0
 
zvoltsAuthor Commented:
I was able to get things working. I needed a firmware upgrade on the DSL modem to get it to assign a public IP.
0

Featured Post

Exciting career futures for women in IT

Education has the power to transform lives and open the door to new career opportunities. By earning an IT degree from WGU, you can become a highly skilled IT professional. Get the credentials and certifications you need to become a leader in this rewarding field.  

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now