Comcast static address and PIX501

We have a comcast business with a static addresss up purchased a pix501 to do vpn and site to site ect.  The issue we are having is the comcast modem with the SMC router will not go into bridge mode and let the cisco pix501 have the static address assigned to it.  If we put the pix in to dhcp mode we get assigned a diffrent ip than our static but we can use the web ect.  Any ideas or leads on where to get this resolved. Comcast and Cisco are both pointing fingers as well as SMC.

our pix is current IOS PDM  

Steven ChurchIT ConsultantAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Pentrix2Connect With a Mentor Commented:
Thanks for the update.  :)

OHHHHHHH, i have the same problem when I first signed up for the comcast business with 5 public IPs.  I called comcast support for 2 weeks on them fixing this and for some reason hardly anybody knew how to do this.

Turning the crapy smc modem/router to bridge mode is simply turning off the DHCP.  Of course before this happens make sure comcast did upload a file to the crapy smc modem/router so you can have your 5 public IPs or else it won't work.  Then make sure your PIX route is pointing to the comcast Default-Gateway (DG).  So let's say your public IP range is: to

Then I believe the command is:  route 0 0
then assign your outside interface on your pix of
Then you can do your static translations and ACLs.  of course make sure you have the nat and global configuration so you can do NATing and PATing.

Steven ChurchIT ConsultantAuthor Commented:
We only have 1 static Ip address. We had a similar issue with a linksys rv042 and they had to downgrade the firmware on the smc pos.... I will sure give it a shot. I will let you know.

Thanks for some direction
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

with only 1 static public ip address it will work as well.

static public ip
your dg should be :

then give your outside interface on your pix the with a dg of

Let me know how it goes because this entire ordeal I had with comcast really upset me that they can't support their product.

Steven ChurchIT ConsultantAuthor Commented:
No go on that solutions, I thought we had tried that once and it still doesnt work. The cisco powers up, then the smc freaks out and not traffic between the smc and cisco.

Back to the drawing board.  We have talked with 4 levels into comcast land and they say oh nope that wont work sorry to bad.

Any more ideas or thingss to try would be great!

Please post your PIX configuration.

Steven ChurchIT ConsultantAuthor Commented:
Here is the config. its stock out of the box with very little configured.

Building configuration...
: Saved
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password /YkVqZmBD0uSVWHm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname mail.
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list outside_access_in permit tcp any any
access-list outside_access_in permit udp any any
access-list outside_access_in permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm location inside
pdm location inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
access-group outside_access_in in interface outside
route outside 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
username assured password QRz9eoLBtoiM0kwY encrypted privilege 15
terminal width 80
: end

This is what I would do.  Do the dhcp and see what IP address you are receiving from

so let's say it's:

this ip address should match the default gateway to the email you got from your sales person who opened up the account for you.

also, in the email it should say specifically what is your static public ip address.  from your configuration it looks solid with very little modification to it and should allow your internal nodes internet access.

Let me know if I'm wrong in any of my statements.

Steven ChurchIT ConsultantAuthor Commented:
The info listed is what comcast gave us via phone, nothing was sent out via email.
Steven ChurchIT ConsultantAuthor Commented:
Comcast has contacted us and the are installing a new model of the smc modem next week. I will update the info as we get it!  
Steven ChurchIT ConsultantAuthor Commented:
After waiting for comcast to send out a biz tech with the modem, they have pulled the new smc back for more testing.   We have had the interface rebuild twice to just keep the current vpn on the RV042 alive.
The thing that fixed it on my side was the business techs had to replace some kind of board outside my building.  Something like if it's reading -25 then it's good.  It's the box that your facility should be sharing.
Steven ChurchIT ConsultantAuthor Commented:
I will ask, our local tech is a good friend.
Keith AlabasterEnterprise ArchitectCommented:
Steven, I need an update here please as it has expired again.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.