Comcast static address and PIX501

Posted on 2006-07-13
Medium Priority
Last Modified: 2013-11-16
We have a comcast business with a static addresss up purchased a pix501 to do vpn and site to site ect.  The issue we are having is the comcast modem with the SMC router will not go into bridge mode and let the cisco pix501 have the static address assigned to it.  If we put the pix in to dhcp mode we get assigned a diffrent ip than our static but we can use the web ect.  Any ideas or leads on where to get this resolved. Comcast and Cisco are both pointing fingers as well as SMC.

our pix is current IOS PDM  

Question by:Steven Church
  • 7
  • 6

Expert Comment

ID: 17105233
OHHHHHHH, i have the same problem when I first signed up for the comcast business with 5 public IPs.  I called comcast support for 2 weeks on them fixing this and for some reason hardly anybody knew how to do this.

Turning the crapy smc modem/router to bridge mode is simply turning off the DHCP.  Of course before this happens make sure comcast did upload a file to the crapy smc modem/router so you can have your 5 public IPs or else it won't work.  Then make sure your PIX route is pointing to the comcast Default-Gateway (DG).  So let's say your public IP range is: to

Then I believe the command is:  route 0 0
then assign your outside interface on your pix of
Then you can do your static translations and ACLs.  of course make sure you have the nat and global configuration so you can do NATing and PATing.


Author Comment

by:Steven Church
ID: 17105562
We only have 1 static Ip address. We had a similar issue with a linksys rv042 and they had to downgrade the firmware on the smc pos.... I will sure give it a shot. I will let you know.

Thanks for some direction

Expert Comment

ID: 17117312
with only 1 static public ip address it will work as well.

static public ip
your dg should be :

then give your outside interface on your pix the with a dg of

Let me know how it goes because this entire ordeal I had with comcast really upset me that they can't support their product.

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.


Author Comment

by:Steven Church
ID: 17147929
No go on that solutions, I thought we had tried that once and it still doesnt work. The cisco powers up, then the smc freaks out and not traffic between the smc and cisco.

Back to the drawing board.  We have talked with 4 levels into comcast land and they say oh nope that wont work sorry to bad.

Any more ideas or thingss to try would be great!


Expert Comment

ID: 17150532
Please post your PIX configuration.


Author Comment

by:Steven Church
ID: 17185831
Here is the config. its stock out of the box with very little configured.

Building configuration...
: Saved
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password /YkVqZmBD0uSVWHm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname mail.
domain-name rrpark.org
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list outside_access_in permit tcp any any
access-list outside_access_in permit udp any any
access-list outside_access_in permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm location inside
pdm location inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
access-group outside_access_in in interface outside
route outside 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
username assured password QRz9eoLBtoiM0kwY encrypted privilege 15
terminal width 80
: end


Expert Comment

ID: 17188739
This is what I would do.  Do the dhcp and see what IP address you are receiving from http://www.whatismyip.com

so let's say it's:

this ip address should match the default gateway to the email you got from your sales person who opened up the account for you.

also, in the email it should say specifically what is your static public ip address.  from your configuration it looks solid with very little modification to it and should allow your internal nodes internet access.

Let me know if I'm wrong in any of my statements.


Author Comment

by:Steven Church
ID: 17234123
The info listed is what comcast gave us via phone, nothing was sent out via email.

Author Comment

by:Steven Church
ID: 17344842
Comcast has contacted us and the are installing a new model of the smc modem next week. I will update the info as we get it!  

Accepted Solution

Pentrix2 earned 1000 total points
ID: 17351322
Thanks for the update.  :)


Author Comment

by:Steven Church
ID: 17586741
After waiting for comcast to send out a biz tech with the modem, they have pulled the new smc back for more testing.   We have had the interface rebuild twice to just keep the current vpn on the RV042 alive.

Expert Comment

ID: 17588188
The thing that fixed it on my side was the business techs had to replace some kind of board outside my building.  Something like if it's reading -25 then it's good.  It's the box that your facility should be sharing.

Author Comment

by:Steven Church
ID: 17589564
I will ask, our local tech is a good friend.
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17681673
Steven, I need an update here please as it has expired again.

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses
Course of the Month14 days, 14 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question