Solved

Comcast and Cisco Pix

Posted on 2006-11-18
11
869 Views
Last Modified: 2013-11-16
Hi, I need help.  I have a Comcast account with 5 static ip address, (the cable modem is an Ambit Braodband).  I also have a Cisco Pix 501.  I am setting up some windows servers (Domain, DNS, DHCP, Mail, Web, FTP and etc) at my house only for personal uses.  My problem is I do not know how to use the info from the broadband modem with my cisco pix 501.  I can't figure out how to allow access from the cable modem to my pix....   here are my configuration.  I need and all help that is available.  I know very little about Pix and IP Addresses...  

Cable Modem...
 Gateway - Information
INTERNET SETTINGS  
Internet IP Address: 64.183.211.33
Subnet Mask: 255.255.255.240
Default Gateway: 10.1.64.1
DNS: 24.93.41.125
 
LOCAL SETTINGS
Gateway IP Address: 192.168.0.1
Subnet Mask: 255.255.255. 0
DHCP Server: Enable
No Server Allowed :  Disabled
NAT :  Enabled
 
Operating Mode: NAT Router mode
 
Private IP Range: 192.168.0.2 through 192.168.0.201
Public IP Range: 64.183.211.34 through 64.183.211.46

And here is the pix config....

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname swdPIX
domain-name rockbeck
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any host 64.183.211.36 eq ftp
access-list outside_in permit tcp any host 64.183.211.36 eq www
access-list outside_in permit tcp any host 64.183.211.35 eq smtp
access-list outside_acess_in permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 64.183.211.34 255.255.255.240
ip address inside 192.168.0.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 64.183.211.35 192.168.0.6 netmask 255.255.255.255 0 0
static (inside,outside) 64.183.211.36 192.168.0.7 netmask 255.255.255.255 0 0
static (inside,outside) 64.183.211.37 192.168.0.8 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.5 255.255.255.255 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.0.5 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:981fae1791efcc61d0197051eb601339
: end
swdPIX(config)#
swdPIX(config)#
swdPIX(config)#
swdPIX(config)#
swdPIX(config)#


Thanks...
 
0
Comment
Question by:schrockd
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17973904
First can you put the broadband modem into bridge mode so that you can assign the public ip addresses directly onto the pix outside ?

Cheers,
Rajesh
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17973959
<Public IP Range: 64.183.211.34 through 64.183.211.46>
<Subnet Mask: 255.255.255.240>

This gives 16 IP addresses, one for for the network and one for broadcast leaves 14 useable. One each for the modem and the PIX say, leaves 12 (assuming Comcast does things the same way as most ISP's) but ho-hum.

Also, you will need a Global statement to match your NAT 1 command plus the relevant access-lists.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17974233
The static statements look fine.

>route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
No. This has to go. It must point to Comcast IP address..

 no route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
 route outside 0.0.0.0 0.0.0.0 64.183.211.33  <== this must be the ISP's IP

>Cable Modem...
> Gateway - Information
>INTERNET SETTINGS  
Was this information provided by Comcast, or did you look on the cable modem and find this information?

>Default Gateway: 10.1.64.1
For your PIX, the Default Gateway must be on the same subnet as the outside IP address.

Also add a global as Keith suggested:
  global (outside) 1 interface
0
 

Author Comment

by:schrockd
ID: 17976162
I made the changes to the route outside... and made the change to the global interface......    I do not know what you mean by...  

>Default Gateway: 10.1.64.1
For your PIX, the Default Gateway must be on the same subnet as the outside IP address.

I still not able to access the internet behind the pix.  Also what address should I assign to the PC...
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17977469
>Default Gateway: 10.1.64.1
<For your PIX, the Default Gateway must be on the same subnet as the outside IP address.>

<Internet IP Address: 64.183.211.33> The modem and the pix outside interface use the 64.x.y.z id therefore the default gateway must be on the 64.x.y.z subnet also, not 10.1.61.1.

You have NAT enabled on the Modem also which currently is using the 192.168.0.0 subnet. (Would have expected this to be in Bridge mode if you were looking to put a 'real' external IP address on to the outside of the PIX.) You are also using this 192.168.0.0 subnet for the internal subnet of the PIX. Maybe I'll leave this part to LRMoore as we do not have Comcast in the UK so maybe things are done differently with them.

0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:schrockd
ID: 17978578
The Default Gateway comes from Comcast (Time Warner)... I can not change it.  Nothing in the modem I can change...  Do I need to call Comcast to change something?  Also here is some more info the tech guy left me...  

Network:64.183.211.32
Gateway: 64.183.211.33
Useable: 64.183.211.34 thru 64.183.211.46
Size: /28  Subnet: 255.255.255.240
TWC DNS1: 24.93.41.125  
TWC DNS2: 24.93.41.126  
 Network Destination          Netmask          Gateway
             0.0.0.0          0.0.0.0        10.1.64.1
           10.1.64.0    255.255.224.0    255.255.224.0
       64.183.211.32  255.255.255.240  255.255.255.240
           127.0.0.0        255.0.0.0        127.0.0.1
         192.168.0.0    255.255.255.0    255.255.255.0
       192.168.100.0    255.255.255.0    255.255.255.0
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17979131
You've assigned your PIX outside IP 64.183.211.34 255.255.255.240
And added default route on pix: route outside 0.0.0.0 0.0.0.0 64.183.211.33

Did you remove the old default route?
Don't worry about what is on the modem, it is in bridge mode, but still has its own IP address 192.168.100.1 by default..
Now can you ping 64.183.211.33 from the PIX console? Can you ping 192.168.100.1?
If not, try powering off the modem, let it sit for 5 full minutes, then power it back up. Once it syncs its signal, you can try pinging again...





0
 

Author Comment

by:schrockd
ID: 17994934
Yes, from the pix... I can ping 64.183.211.33 and 192.168.100.1......  But if I set the computer (behind the pix) to obtain IP address automatic it do not assign me an ip address...and If I set the address to 192.168.0.5 I am not able to ping any address or get to the internet.  

Here is the pix info.....

:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password mFSO2FfjFKJQhauL encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname swdPIX
domain-name rockbeck
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any host 64.183.211.36 eq ftp
access-list outside_in permit tcp any host 64.183.211.36 eq www
access-list outside_in permit tcp any host 64.183.211.35 eq smtp
access-list outside_acess_in permit icmp any any
access-list outside-access_in permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 64.183.211.34 255.255.255.240
ip address inside 192.168.0.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 64.183.211.35 192.168.0.6 netmask 255.255.255.255 0 0
static (inside,outside) 64.183.211.36 192.168.0.7 netmask 255.255.255.255 0 0
static (inside,outside) 64.183.211.37 192.168.0.8 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.183.211.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.5 255.255.255.255 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.0.5 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:cccbe4306d4f5641e6c660fe39a117f6
: end
swdPIX#
swdPIX#
swdPIX#
swdPIX# ping 64.183.211.33
        64.183.211.33 response received -- 10ms
        64.183.211.33 response received -- 0ms
        64.183.211.33 response received -- 0ms
swdPIX# ping 64.183.211.33
        64.183.211.33 response received -- 0ms
        64.183.211.33 response received -- 0ms
        64.183.211.33 response received -- 0ms
swdPIX# ping 192.168.100.1
        192.168.100.1 response received -- 0ms
        192.168.100.1 response received -- 0ms
        192.168.100.1 response received -- 0ms
swdPIX# ping 192.168.100.1
        192.168.100.1 response received -- 0ms
        192.168.100.1 response received -- 0ms
        192.168.100.1 response received -- 0ms
swdPIX#


Thanks
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17995053
>it do not assign me an ip address...
That's because you have dhcp server disabled

If you assign yourself an IP address, do you use these settings?
 192.168.0.5 / 255.255.255.0
 Default Gateway 192.168.0.3
 DNS 24.93.41.125  

Can you ping 192.168.0.3 from the PC?
0
 

Author Comment

by:schrockd
ID: 18097472
sorry... I have not gotten back to this... been really busy... But everythings works... thanks to all.  
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18107894
Are you still working on this? Can you close out this question before the cleanup crew gets around to it?
Thanks!
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now