?
Solved

Cisco 2620 with WIC-ADSL needs to bridge to PIX

Posted on 2006-05-16
15
Medium Priority
?
615 Views
Last Modified: 2012-05-05
Hello all,
     I am currently trying to setup my first cisco network, so please be patient with me.  I have a cisco 2620 router that will connect with my ADSL line, negotiates a static IP and shows no errors.  However I cannot give my PIX an external IP address, nor the internal interface a external IP.  I understand why it is, but the only solution I can see that my be feasible is to put the 2620 into bridge mode and pass all traffic to the PIX 506E.  Is this correct?  If so, how do I do it.  And once it is done, will the PIX negotiate the PPPoe session?  I will be looking at posting regularly, and will respond to questions quickly.


Thanks again,
   Adam
0
Comment
Question by:gimmiecpt
  • 8
  • 6
15 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16697322
Hi gimmiecpt,

 You can have the 2620 connect to your ADSL line and do the NAT. Configure the 2620 to do the NAT for the outgoing connections. I assume that you have only one public ip which is assigned to the router. So you can come up with a network something like this;

Internal Network------------PIX-----10.1.1.0/24--------2620---PublicIP---------Internet

Configure the network between PIX and 2620 to be in a separate network than the internal one (like 10.1.1.0/24). Then point the default gateway to the 2620, enable natting on 2620.

Cheers!
Rajesh
0
 

Author Comment

by:gimmiecpt
ID: 16697645
Rajesh,
     Thank you for the quick response.  Actually I have a block of 5 static ip's.  I originally tried what you are suggesting, but then I run into the problem of the interfaces on the PIX conflicting (unless i give the link between the 2620 and the PIX it own subnet)  Also when I did that it woudln't route from the pix to the internet, just from the 2620, and all my default routes were pointing to the public IP.   The network looked like this:

Internal network (catalyst 1924) 10.1.1.0/24 -->PIX 192.168.1.0/24 -->2620 -->public IP

It was ugly :).

I need to be able to route out to the internet, and also static IP some servers inside the network.


0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16697997
Yes, that is how it should be setup, I mean the subnet between PIX and the Router should be unique. There are only 2 ways to do this; One as I mentioned where in the NAT would be performed at the Edge Router (2620).

The first method would be the way to go if you don't have another Public IP Range. Traffic not being routed to the internet is because of config problems. The PIX should have a default route pointing to 2620's internal interface. All the NAT configurations should be on the Router. If you want to go this way, you could post the configuration and we can troubleshoot it to get a working network. It will for sure work, no problems.

The other would be the same except for the network between PIX and the Router. If you have another public range which is different than router Wan Interface then you would be able to do the NAT on the PIX itself;

Internal Network (10.x.x.x)-------PIX---Another_Public_Range------------Router---Public IP--------Internet

Here what happens is that you can define the NAT on the PIX.

Let me know.

Cheers,
Rajesh
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:gimmiecpt
ID: 16715061
Rajesh,
     The network is setup as I described above.  Below is the current running config on the cisco 2620 and the PIX506E.  I have also included the routes and ping tests.   From the 2620 I can resolve DNS and ping www.yahoo.com, as well as the external interface on the PIX.  From the PIX, i can ping the internal IP address of the cisco 2620, as well as the external interface that is given when I connect to the PPPoE server.  However I cannot get past it.  As you will see below, I tried to ping the DNS server for my provider and yahoo.com, neither worked.  Please let me know what you think.

Thanks,

      Adam


CISCO2620: show run
Building configuration...                        

Current configuration : 1265 bytes                                  
!
version 12.3            
service timestamps debug datetime msec                                      
service timestamps log datetime msec                                    
no service password-encryption                              
!
hostname CISCO2620                
!
boot-start-marker                
boot-end-marker              
!
enable secret 5 ******.                                              
!
no aaa new-model                
ip subnet-zero              
ip ce  
!
!
ip name-server 68.94.156.1                          
!
ip audit po max-events 100                          
vpdn enable          
!
vpdn-group pppoe                
 request-dialin              
  protocol pppoe                
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface ATM0/0                
 no ip address              
 no atm ilmi-keepalive                      
 bundle-enable              
 dsl operating-mode auto                        
 hold-queue 224 in                  
!
interface ATM0/0.1 point-to-point                                
 pvc 0/35        
  pppoe-client dial-pool-number 1                                
 !  
!
interface FastEthernet0/0                        
 ip address 192.168.9.1 255.255.255.0                                    
 no ip route-cache cef                      
 no ip route-cache                  
 duplex auto            
 speed auto          
!
interface Dialer1                
 ip address negotiated                      
 ip mtu 1492            
 ip nat outside              
 encapsulation ppp                  
 dialer pool 1              
 ppp authentication pap callin                              
 ppp pap sent-username ******* password 0 ********                                                                
!
router eigrp 1              
 network 71.0.0.0                
 network 192.0.0.0                
 auto-summary            
!
ip http server              
no ip http secure-server                        
ip classless            
ip route 0.0.0.0 0.0.0.0 Dialer1                                
!
!
access-list 100 permit ip any any
!
!
!
!
!
!
line con 0
 password *******
 login
line aux 0
line vty 0 4
 password *******
 login
!
!
end

####################################################################

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     71.0.0.0/32 is subnetted, 1 subnets
C       71.*.*.190 is directly connected, Dialer1
C    192.168.9.0/24 is directly connected, FastEthernet0/0
     151.164.0.0/32 is subnetted, 1 subnets
C       151.164.184.74 is directly connected, Dialer1
S*   0.0.0.0/0 is directly connected, Dialer1

###################################################################
CISC02620#ping 192.168.9.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.9.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
CISCO2620#ping www.yahoo.com

Translating "www.yahoo.com"...domain server (68.94.156.1) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 66.94.230.39, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/20 ms

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

PIX506E: show run

PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password uT//lrUfwTfEA9xd encrypted
passwd uT//lrUfwTfEA9xd encrypted
hostname PIX506E
domain-name nacsolutions.net
clock timezone PST 21
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.9.2 255.255.255.0
ip address inside 10.197.11.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 192.168.9.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 10.197.11.0 255.255.255.0 inside
ssh 192.168.1.90 255.255.255.255 inside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:47eb11676eff4f39dfd41148d27252d2

########################################################################

PIX506E(config)# show route
        outside 0.0.0.0 0.0.0.0 192.168.9.1 1 OTHER static
        inside 10.197.11.0 255.255.255.0 10.197.11.1 1 CONNECT static
        outside 192.168.9.0 255.255.255.0 192.168.9.2 1 CONNECT static

########################################################################

PIX506E(config)# ping 192.168.9.1
        192.168.9.1 response received -- 0ms
        192.168.9.1 response received -- 0ms
        192.168.9.1 response received -- 0ms
PIX506E(config)# ping www.yahoo.com
Usage:  ping [if_name] <host>
PIX506E(config)# ping 71.*.*.190
        71.146.204.190 response received -- 0ms
        71.146.204.190 response received -- 0ms
        71.146.204.190 response received -- 0ms
PIX506E(config)# ping 68.94.156.1
        68.94.156.1 NO response received -- 1000ms
        68.94.156.1 NO response received -- 1000ms
        68.94.156.1 NO response received -- 1000ms
PIX506E(config)# ping 66.94.230.40
        66.94.230.40 NO response received -- 1000ms
        66.94.230.40 NO response received -- 1000ms
        66.94.230.40 NO response received -- 1000ms
PIX506E(config)#
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16715554
Ok. There lies the problem. On the router you have the route to go outside but you don't have a route pointing to inside to reach 10.x.x.x network. Just add this;

ip route 10.197.11.0 255.255.255.0 192.168.9.2

So that the traffic goes out and when it comes back to 2620, it will know where to go to reach 10.x.x.x network. Just add this.

Next problem is, I don't see any NAT translations happening at the 2620, so add this;

>ip nat inside source list 1 interface Dialer1 overload

access-list 1 permit 10.197.11.0 0.0.0.255

interface FastEthernet0/0                        
 ip address 192.168.9.1 255.255.255.0                                    
 no ip route-cache cef                      
 no ip route-cache                  
 duplex auto            
 speed auto
> ip nat inside

interface Dialer1                
 ip address negotiated                      
 ip mtu 1492            
 >ip nat outside              
 encapsulation ppp                  
 dialer pool 1              
 ppp authentication pap callin                              
 ppp pap sent-username ******* password 0 ********

Try then and let me know.

Cheers,
Rajesh
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16717155
In addition to the nat inside/outside as rajash pointed out above, you need a nat/global statement in your PIX:

Option1, nat everything coming out the pix so that no route statement is needed on the router:
  global(outside) 1 interface
  nat (inside) 1 0 0

Option 2, don't nat between inside/outside on the PIX (requires route statement on router)
  static (inside,outside) 10.197.11.0 10.197.11.0 netmask 255.255.255.0

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16719425
Good point that lrmoore pointed out. I would define a static for the 10.x.x.x network and allow all the traffic to the network.

static (inside,outside) 10.197.11.0 10.197.11.0 netmask 255.255.255.0

access-list <Name/Number> permit ip any 10.197.11.0 255.255.255.0

access-group <Name/Number> in interface outside

Add these commands on the PIX and you can refine the access-list later for your requirement. This will make sure that the incoming traffic onto PIX will be allowed to go into your LAN.

Cheers,
Rajesh
0
 

Author Comment

by:gimmiecpt
ID: 16732416
I made the appropriate changes, but I still cannot ping through the 2620.  Again, I can ping the internet from the 2620, but from the firewall... I can ping the external interface, but not past it.  Here are the new configs:  

<CISCO2620>

Current configuration : 1281 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CISCO2620
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$g0ME$jpAyUsAcVWUF0lCccuovs.
!
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 68.94.156.1
!
ip audit po max-events 100
vpdn enable
!
vpdn-group pppoe
 request-dialin
  protocol pppoe
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface ATM0/0
 no ip address
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
 hold-queue 224 in
!
interface ATM0/0.1 point-to-point
 pvc 0/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0/0
 ip address 192.168.9.1 255.255.255.0
 ip nat inside
 no ip route-cache cef
 no ip route-cache
 duplex auto
 speed auto
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 dialer pool 1
 ppp authentication pap callin
 ppp pap sent-username *******@sbcglobal.net password 0 ******
!
router eigrp 1
 network 71.0.0.0
 network 192.0.0.0
 auto-summary
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
access-list 100 permit ip any any
!
!
!
!
!
!
line con 0
 password ********
 login
line aux 0
line vty 0 4
 password ********
 login
!
!
end

######################################################################

Made ip route change suggested above

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

notnotepadPIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password uT//lrUfwTfEA9xd encrypted
passwd uT//lrUfwTfEA9xd encrypted
hostname PIX506E
domain-name nacsolutions.net
clock timezone PST 21
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit ip any 10.197.11.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.9.2 255.255.255.0
ip address inside 10.197.11.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.197.11.0 10.197.11.0 netmask 255.255.255.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.9.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 10.197.11.0 255.255.255.0 inside
ssh 192.168.1.90 255.255.255.255 inside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:47eb11676eff4f39dfd41148d27252d2
: end

##########################################################################
 show route
        outside 0.0.0.0 0.0.0.0 192.168.9.1 1 OTHER static
        inside 10.197.11.0 255.255.255.0 10.197.11.1 1 CONNECT static
        outside 192.168.9.0 255.255.255.0 192.168.9.2 1 CONNECT static
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16742649
Hi,

  Still your configuration is not correct. The router misses the 'ip route' statement and also the 'ip nat inside source list 1 interface Dialer1 overload' & 'access-list 1 permit 10.197.11.0 0.0.0.255' are missing. Add those and only then it will work.

Cheers,
Rajesh

0
 

Author Comment

by:gimmiecpt
ID: 16748496
Thank you guys for your assistance so far.  I am still having the same problem. I can ping the external interface on the 2620 from the PIX, but not past it.  From the 2620 I can ping and resolve DNS.  Here is my 2620 current config.  Thank you again for your help

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CISCO2620
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$g0ME$jpAyUsAcVWUF0lCccuovs.
!
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 68.94.156.1
!
ip audit po max-events 100
vpdn enable
!
vpdn-group pppoe
 request-dialin
  protocol pppoe
!
! no ip address
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
 hold-queue 224 in
!
interface ATM0/0.1 point-to-point
 pvc 0/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0/0
 ip address 192.168.9.1 255.255.255.0
 ip nat inside
 no ip route-cache cef
 no ip route-cache
 duplex auto
 speed auto
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 dialer pool 1
 ppp authentication pap callin
 ppp pap sent-username ******** password 0 *****
!
router eigrp 1
 network 71.0.0.0
 network 192.0.0.0
 auto-summary
!
ip nat inside source list 1 interface Dialer1 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.197.11.0 255.255.255.0 192.168.9.2
!
!
access-list 1 permit 10.197.11.0 0.0.0.255
access-list 100 permit ip any any
!
!
!
!
!
!
line con 0
 password *****
 login
line aux 0
line vty 0 4
 password *****
 login
!
!
end


#############################################################################################################################

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     71.0.0.0/32 is subnetted, 1 subnets
C       71.146.204.190 is directly connected, Dialer1
C    192.168.9.0/24 is directly connected, FastEthernet0/0
     10.0.0.0/24 is subnetted, 1 subnets
S       10.197.11.0 [1/0] via 192.168.9.2
     151.164.0.0/32 is subnetted, 1 subnets
C       151.164.184.74 is directly connected, Dialer1
S*   0.0.0.0/0 is directly connected, Dialer1
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16748879
Lets do this for testing purpose; Change the access-list 1 to as below;

access-list 1 permit ip any any

Cheers,
Rajesh
0
 

Author Comment

by:gimmiecpt
ID: 16749068
Rajesh,
   I had to use the following command, otherwise it tried to resolve it using the DNS server.

access-list 1 permit any

After adding the line above, I was able to route to the internet.  Thank you for your help.  

I have one final question for you.  How do I get the 2620 to recognize my 5 static ip's so I can start building static routes to the appropriate destinations.

Adam
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 2000 total points
ID: 16749158
Adam,

  Glad to know that you got it up and running now. As per the rules of the forum, only a single question is allowed in a question. So can you open up another question and post the link here so that I can take a look at it?

  Give detailed information on the setup you want like, where the devices are going to be (Internal/DMZ), what will they be serving etc.

Cheers,
Rajesh
0
 

Author Comment

by:gimmiecpt
ID: 16752362
Here is is Rajesh,
 
http://www.experts-exchange.com/Hardware/Routers/Q_21862308.html

Thanks again for your help.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16752822
thnx for the points. I'll post the comments in the other one.


Cheers,
Rajesh
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question