• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1444
  • Last Modified:

Setting up Cisco PIX 501 Firewall behind Cisco 1702 Router

No luck getting the Pix 501 to work behind a Cisco 1720.
Contacted ISP for settings on the Cisco 1720 and entered them into the PIX 501.
Pix 501 shows outside interface status as down. No light on the PIX WAN Port
ISP frequently gives me different answers to the same question,
The PIX 501 needs to know the outside ip, subnet and gateway.
How can I confirm my ISP is giving me accurate info?  
They wont give me the password for the Cisco 1702
Any ideas...
I was considering attaching my pc to the serial console port on the 1720, I am familar with the serial cabling requirements, but have no experience with the Cisco command line
0
bobalounj
Asked:
bobalounj
  • 3
  • 2
1 Solution
 
lrmooreCommented:
>Pix 501 shows outside interface status as down. No light on the PIX WAN Port
How are you connecting them? You need an Ethernet Crossover cable if you're going straight between them. Until you get link up, you can't do much of anything. Did you enable the interface? If you're using the web GUI, then there is a checkbox to enable the interface.

I don't advise trying to connect to the console of the managed router.
0
 
bobalounjAuthor Commented:
Thanks, got the pix 501 Wan port link up.  duh
The outside interface is up, however still cant get access out to the internet.
If I hook up directly to the Cisco 1720 router, access is fine.
What info do i need to setup the Cisco PIX 501 and what do i need to do or change on the workstation when
the 501n firewall is in place.
0
 
lrmooreCommented:
You need to
- assign the ip address/mask to the outside interface
- assign the default route
- set global and nat (I think these are set already by default):
   global (outside) 1 interface
   nat (inside) 1 0 0

Don't try to use pings to test connectivity because icmp is blocked by default on the pix.
If you want to use ping tests, add the following:

  access-list icmp permit icmp any any echo-reply
  access-list icmp permit icmp any any unreachable
  access-group icmp in interface outside

The 501 should be setup as a DHCP server out of the box, handing out 192.168.1.x IP addresses. If you want to change that, now's the time. Just set your PC to get its IP address automatically.
Your PC needs DNS entries. One difference with the PIX is that it is not a DNS proxy like most SOHO routers are. If you don't have an internal DNS server, then you need to give your PC the ISP's nameservers.
0
 
bobalounjAuthor Commented:
To assign the ip address/mask to the outside interface. which is the Cisco 1720 router.
My ISP controls the Cisco 1720 router. How do I get the proper info/settings from Cisco 1720?
or when i I call the ISP what settings do I ask for?  Is there anyway I can confirm these settings?

To set the internal route , is this just the gateway ip of the Cisco 1720 router?

Thanks in advance
0
 
lrmooreCommented:
All you need to know from the ISP is what is the LAN IP and subnet mask of the 1720 router?
Example:
  66.67.68.33 255.255.255.248

This will give you use of .34 - .38
Assign 66.67.68.24 / 255.255.255.248 to the pix interface
  ip address outside 66.67.68.34 255.255.255.248

Use the 1720's IP as the PIX's gateway
  route outside 0.0.0.0 0.0.0.0 66.67.68.33


0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now