Solved

cisco pix 515e with cable modem ?

Posted on 2008-10-03
23
1,392 Views
Last Modified: 2013-12-14
Hi guys,

I have a cisco pix 515e with cable modem(RCA brand), what type of cable do i need to connect from cable modem to pix 515e ? crossover? straight thru ? Just want to have the pix be my main router.

cable modem ->pix 515e->switch->computers

thanks.
0
Comment
Question by:tinhnho
  • 9
  • 8
  • 5
  • +1
23 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22639283
Just a regular straight through cable should work!
If you need configuration assistance, just post a config and ask a question and I'd be glad to help!
Cheers!
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22639284
Oh, and plug it into the ethernet 0 port.
0
 

Author Comment

by:tinhnho
ID: 22639336
my ip: 12.207.41.111
subnet: 255.255.255.0
gateway :12.207.41.1 1
DNS: 204.127.203.135 and  216.148.225.135

Before i have it setup and running while i was at my company but once i brought it home i can't get it running with cable modem. Thanks.
pix-config-cable.TXT
0
 
LVL 8

Accepted Solution

by:
sstone55423 earned 250 total points
ID: 22639396
The pix 515e is a firewall, not a router.  What was the IP range offered bythe cable modem before you put the Pix into place?
 
When you put the PIX in the middle, it will have to have assigned as it's outside IP address one of the addresses passed thorugh by your cable modem.  It should offer NAT for inside addresses, but probably does not offer DHCP, and so you will need a DHCP server for inside the PIX.  The inside connection of the PIX will need to be on that network (and it will be the default gateway handed out by the DHCP server).
If we talk a bit further we can work this out.
0
 

Author Comment

by:tinhnho
ID: 22639419
No idea what the ip range is. I only know the ip,gateway, dns base on my old dlink router. I replace my dlink router with pix but the pix doesn't seem working.
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22639435
Ok, I see you have the Pix config.  It is offering DHCP inside, on the range 192.1681.2 through 192.168.1.254, and is offering DNS addresses of 204.127.203.135 and 216.148.225.135 (ns1.mchsi.com, ns2.mchsi.com)  The default gateway for inside PC's will be 192.168.1.1.
Your outside IP is shown as 12.207.41.111/24 (Mediacom, Foster City, CA)
Who is your local ISP?  Is it, in fact Mediacom?  Is the cable modem in bridging mode passing the entire class C space thorugh, or was that the address at the previous place (your company?)  I think we have to change the outside IP address so that it is consistent with your local ISP's address space.
 
 
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22639460
DO your PC's get the DHCP address?  When you do an "Ipconfig /all" what does the IP, DNS and default gateway cime up as?  Can you ping out to the pix, and then out to the cable modem, and then out to someplace outside, like 4.2.2.2?
0
 

Author Comment

by:tinhnho
ID: 22639473
It's mediacom. My company doesn't have mediacom. I believe the cable modem in bridging mode. Those ip of my ethernet 0 in my running-config is my current ip at home.
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22639498
Cool.  Well, the who class C - /24 thing is unusual, but I suppose you only get that one IP from the space.  
 
So, could you try to ping 192.168.1.1, and 12.207.41.111 and 12.207.41.1 and 4.2.2.2 and 204.127.203.135 and tell me what you get?  DO they all succeed?
0
 

Author Comment

by:tinhnho
ID: 22639539
Yea, the class C/24 seems abnormal to me here too, but it's what i see from my old dlink router when it was connecting to cable modem.

I can only ping 192.168.1.1 from my client computer (192.168.1.2), the rest 12.207.41.111 and 12.207.41.1 and 4.2.2.2 and 204.127.203.135 are unsuccessful.

The attachment is my client ipconfig /all. Thanks

ipconfig.JPG
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22639568
Well, if you can ping 192.168.1.1, then you have the right cable connected to the internal network.  I assume that the e0 is connected to the cable modem?  Do you have link lights on the cable modem, and the e0 port on the Cisco?  Can you try connecting into the Cisco, and pinging the outside 12.207.41.1, and 4.2.2.2 IP's?
 
Oh, one trick I learned from Comcast.  They tie the MAC address of the device they connect to to the IP.  SO, when you connect from the cable modem to the pix, plese power cycle the cable modem so that it will assign a new address to the new MAC address (rather than expecting the IP of the dlink).
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 14

Expert Comment

by:Kutyi
ID: 22639704
I believe a Cross-over cable, but you only have a choice of 2, once you get a link light you a good too go.
0
 

Author Comment

by:tinhnho
ID: 22639709
The e0 is connected to cable modem, all lights are working.

I powered cycle the cable modem and configure e0 as "ip address dhcp setroute" instead set it with static ip earlier. This time from the  pix, I can ping 4.2.2.2 and 12.207.41.1:

pixfirewall# ping 4.2.2.2
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/32/40 ms

pixfirewall# ping 12.207.41.1
Sending 5, 100-byte ICMP Echos to 12.207.41.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms
pixfirewall# ping


But my client computer still can not ping 4.2.2.2 and 12.207.41.1 or neither has internet. I think there is a problem with my NAT. I uploaded my new running-config here, please take a look. thanks.




pix-dhcp.TXT
0
 

Author Comment

by:tinhnho
ID: 22639718
BTW, my current setup:

cable modem--(straight thru cable)--> PIX---(straight thru cable)-->switch--->(straight thru cable)-->computers

0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22639725
Yes, I was looking at that too.  Between the NAT and the access list, that is where the problem is narrowed to.
 

access-list 111 extended permit icmp any any
access-list 111 extended permit tcp any any
access-list inside_nat0_outbound extended permit ip any 172.16.1.0 255.255.255.240
access-list outside_cryptomap_dyn_20 extended permit ip any 172.16.1.0 255.255.255.240
access-list outside_pnat_inbound extended permit ip interface outside interface inside

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 0.0.0.0 0.0.0.0

I don't see a global (outside) assignment.
 
I would expect something more like:
global (outside) 1 12.207.41.111
nat (inside) 1 192.168.1.0 255.255.255.0
 
 I will look with a fresh brain at this tomorrow.
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22639732
> BTW, my current setup:

>cable modem--(straight thru cable)--> PIX---(straight thru cable)-->switch--->(straight thru cable)-->computers

This looks correct.  Many devices are auto MDIX, meaning they swap signals if you don't but a crossover cable where you should.  The acid test is if the devices have alink light.  If you needed a crossover cable, your links lights would not work.
Also, the diagnosis we used tested pinging to 192.168.1.1 successfully -- meaning that the cable between the switch and the router, and between the PC and the switch are correct.
The ping from the PIX outbound worked fine too, meaning the cable between the cable modem and the pix are correct.
The ping from PC to outside fails because either the NAT, or the access lost is incorrect.  Our previous comments indicate that the NAT is almost certainly the issue.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22639883
Hi tinhnho,
The commands you need to fix your config and restore internet access to the inside are:
no nat (inside) 0 access-list inside_nat0_outbound
global (outside) 1 interface
The access-lists do not affect anything since they aren't applied to any interfaces.
Everything else looks good to get you online assuming you have your IPs right and stuff.
After running these commands, if your PCs aren't online, you need to switch the straight through cable between the PIX and the switch to a crossover cable.
If I remember correctly, the PIXes' ethernet ports are actually switch ports and you are always supposed to use crossover cables when connecting like (aka same type) of ports.
Your new topology should look like this:
cable modem--(straight thru cable)--> PIX---(crossover cable)-->switch--->(straight thru cable)-->computers
BTW - the PIX is not a router as mentioned, but it does indeed route and is fine as one for small businesses and homes.
Cheers! Let me know if that helps! :)
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22640952
I agree with PuggleWuggle, except on one point.  We have checked the cables, and those are workign fine.  Switching them will ony risk breaking it.  If we can ping through the cables (and we did) they are correct.  The link lights supports this also. The Pix 515E has Auto MDI/MDIX and so there is no need to worry about that.
I think (as I said) that putting in the global command will fix the issue.  I agree with Pugglewuggle about removing the access list (no nat (inside) 0 access-list inside_nat0_outbound).
If
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22640957
I was starting to say, If you have further issues, we will work them out.  We are almost there.
0
 

Author Comment

by:tinhnho
ID: 22641308
hi guys,

After removed those 2 lines, now my client computers can get online.

From my clients ocmputer, I can't ping any ip/address but I can go on internet, I assume there is an access-list that deal with icmp in the config, but can't find any or I may wrong. Any suggestions that will allow client computer to ping to outside world ?

Btw, I can ping the e0 IP address  from different WAN now.

Thanks a lot for your helps.
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 250 total points
ID: 22641373
Good! I'm glad to hear my commands got you up and running!
The problem is that all PIX/ASA software before version 8.x doesn't allow ICMP echo-reply messages (the returns to your pings).
You need to enter this command:
icmp permit any echo-reply outside
Only then try this command if that doesn't work. If that works then don't worry about this one:
access-list outside_access_in permit icmp any interface outside echo-reply
access-group outside_access_in in interface outside
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22641380
Also - you mentioned the 515e having auto MDI/MDIX ports... it might but I know the 525 doesn't because I was configuring one last week and I had to use crossover cables to connect it to my desktop switch. I assumed the 515e was the same way... although having MDI/MDIX on the switch should solve the problem even if the 515e does not.
Cheers!
0
 

Author Comment

by:tinhnho
ID: 22642318
Again, thanks a lot for your helps. Have a great weekend.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now