Link to home
Start Free TrialLog in
Avatar of schrockd
schrockd

asked on

Comcast and Cisco Pix

Hi, I need help.  I have a Comcast account with 5 static ip address, (the cable modem is an Ambit Braodband).  I also have a Cisco Pix 501.  I am setting up some windows servers (Domain, DNS, DHCP, Mail, Web, FTP and etc) at my house only for personal uses.  My problem is I do not know how to use the info from the broadband modem with my cisco pix 501.  I can't figure out how to allow access from the cable modem to my pix....   here are my configuration.  I need and all help that is available.  I know very little about Pix and IP Addresses...  

Cable Modem...
 Gateway - Information
INTERNET SETTINGS  
Internet IP Address: 64.183.211.33
Subnet Mask: 255.255.255.240
Default Gateway: 10.1.64.1
DNS: 24.93.41.125
 
LOCAL SETTINGS
Gateway IP Address: 192.168.0.1
Subnet Mask: 255.255.255. 0
DHCP Server: Enable
No Server Allowed :  Disabled
NAT :  Enabled
 
Operating Mode: NAT Router mode
 
Private IP Range: 192.168.0.2 through 192.168.0.201
Public IP Range: 64.183.211.34 through 64.183.211.46

And here is the pix config....

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname swdPIX
domain-name rockbeck
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any host 64.183.211.36 eq ftp
access-list outside_in permit tcp any host 64.183.211.36 eq www
access-list outside_in permit tcp any host 64.183.211.35 eq smtp
access-list outside_acess_in permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 64.183.211.34 255.255.255.240
ip address inside 192.168.0.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 64.183.211.35 192.168.0.6 netmask 255.255.255.255 0 0
static (inside,outside) 64.183.211.36 192.168.0.7 netmask 255.255.255.255 0 0
static (inside,outside) 64.183.211.37 192.168.0.8 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.5 255.255.255.255 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.0.5 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:981fae1791efcc61d0197051eb601339
: end
swdPIX(config)#
swdPIX(config)#
swdPIX(config)#
swdPIX(config)#
swdPIX(config)#


Thanks...
 
Avatar of rsivanandan
rsivanandan
Flag of India image

First can you put the broadband modem into bridge mode so that you can assign the public ip addresses directly onto the pix outside ?

Cheers,
Rajesh
Avatar of Keith Alabaster
<Public IP Range: 64.183.211.34 through 64.183.211.46>
<Subnet Mask: 255.255.255.240>

This gives 16 IP addresses, one for for the network and one for broadcast leaves 14 useable. One each for the modem and the PIX say, leaves 12 (assuming Comcast does things the same way as most ISP's) but ho-hum.

Also, you will need a Global statement to match your NAT 1 command plus the relevant access-lists.

The static statements look fine.

>route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
No. This has to go. It must point to Comcast IP address..

 no route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
 route outside 0.0.0.0 0.0.0.0 64.183.211.33  <== this must be the ISP's IP

>Cable Modem...
> Gateway - Information
>INTERNET SETTINGS  
Was this information provided by Comcast, or did you look on the cable modem and find this information?

>Default Gateway: 10.1.64.1
For your PIX, the Default Gateway must be on the same subnet as the outside IP address.

Also add a global as Keith suggested:
  global (outside) 1 interface
Avatar of schrockd
schrockd

ASKER

I made the changes to the route outside... and made the change to the global interface......    I do not know what you mean by...  

>Default Gateway: 10.1.64.1
For your PIX, the Default Gateway must be on the same subnet as the outside IP address.

I still not able to access the internet behind the pix.  Also what address should I assign to the PC...
>Default Gateway: 10.1.64.1
<For your PIX, the Default Gateway must be on the same subnet as the outside IP address.>

<Internet IP Address: 64.183.211.33> The modem and the pix outside interface use the 64.x.y.z id therefore the default gateway must be on the 64.x.y.z subnet also, not 10.1.61.1.

You have NAT enabled on the Modem also which currently is using the 192.168.0.0 subnet. (Would have expected this to be in Bridge mode if you were looking to put a 'real' external IP address on to the outside of the PIX.) You are also using this 192.168.0.0 subnet for the internal subnet of the PIX. Maybe I'll leave this part to LRMoore as we do not have Comcast in the UK so maybe things are done differently with them.

The Default Gateway comes from Comcast (Time Warner)... I can not change it.  Nothing in the modem I can change...  Do I need to call Comcast to change something?  Also here is some more info the tech guy left me...  

Network:64.183.211.32
Gateway: 64.183.211.33
Useable: 64.183.211.34 thru 64.183.211.46
Size: /28  Subnet: 255.255.255.240
TWC DNS1: 24.93.41.125  
TWC DNS2: 24.93.41.126  
 Network Destination          Netmask          Gateway
             0.0.0.0          0.0.0.0        10.1.64.1
           10.1.64.0    255.255.224.0    255.255.224.0
       64.183.211.32  255.255.255.240  255.255.255.240
           127.0.0.0        255.0.0.0        127.0.0.1
         192.168.0.0    255.255.255.0    255.255.255.0
       192.168.100.0    255.255.255.0    255.255.255.0
ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Yes, from the pix... I can ping 64.183.211.33 and 192.168.100.1......  But if I set the computer (behind the pix) to obtain IP address automatic it do not assign me an ip address...and If I set the address to 192.168.0.5 I am not able to ping any address or get to the internet.  

Here is the pix info.....

:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password mFSO2FfjFKJQhauL encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname swdPIX
domain-name rockbeck
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any host 64.183.211.36 eq ftp
access-list outside_in permit tcp any host 64.183.211.36 eq www
access-list outside_in permit tcp any host 64.183.211.35 eq smtp
access-list outside_acess_in permit icmp any any
access-list outside-access_in permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 64.183.211.34 255.255.255.240
ip address inside 192.168.0.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 64.183.211.35 192.168.0.6 netmask 255.255.255.255 0 0
static (inside,outside) 64.183.211.36 192.168.0.7 netmask 255.255.255.255 0 0
static (inside,outside) 64.183.211.37 192.168.0.8 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.183.211.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.5 255.255.255.255 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.0.5 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:cccbe4306d4f5641e6c660fe39a117f6
: end
swdPIX#
swdPIX#
swdPIX#
swdPIX# ping 64.183.211.33
        64.183.211.33 response received -- 10ms
        64.183.211.33 response received -- 0ms
        64.183.211.33 response received -- 0ms
swdPIX# ping 64.183.211.33
        64.183.211.33 response received -- 0ms
        64.183.211.33 response received -- 0ms
        64.183.211.33 response received -- 0ms
swdPIX# ping 192.168.100.1
        192.168.100.1 response received -- 0ms
        192.168.100.1 response received -- 0ms
        192.168.100.1 response received -- 0ms
swdPIX# ping 192.168.100.1
        192.168.100.1 response received -- 0ms
        192.168.100.1 response received -- 0ms
        192.168.100.1 response received -- 0ms
swdPIX#


Thanks
>it do not assign me an ip address...
That's because you have dhcp server disabled

If you assign yourself an IP address, do you use these settings?
 192.168.0.5 / 255.255.255.0
 Default Gateway 192.168.0.3
 DNS 24.93.41.125  

Can you ping 192.168.0.3 from the PC?
sorry... I have not gotten back to this... been really busy... But everythings works... thanks to all.  
Are you still working on this? Can you close out this question before the cleanup crew gets around to it?
Thanks!