• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1438
  • Last Modified:

cisco pix 515e with cable modem ?

Hi guys,

I have a cisco pix 515e with cable modem(RCA brand), what type of cable do i need to connect from cable modem to pix 515e ? crossover? straight thru ? Just want to have the pix be my main router.

cable modem ->pix 515e->switch->computers

thanks.
0
tinhnho
Asked:
tinhnho
  • 9
  • 8
  • 5
  • +1
2 Solutions
 
PugglewuggleCommented:
Just a regular straight through cable should work!
If you need configuration assistance, just post a config and ask a question and I'd be glad to help!
Cheers!
0
 
PugglewuggleCommented:
Oh, and plug it into the ethernet 0 port.
0
 
tinhnhoAuthor Commented:
my ip: 12.207.41.111
subnet: 255.255.255.0
gateway :12.207.41.1 1
DNS: 204.127.203.135 and  216.148.225.135

Before i have it setup and running while i was at my company but once i brought it home i can't get it running with cable modem. Thanks.
pix-config-cable.TXT
0
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

 
sstone55423Commented:
The pix 515e is a firewall, not a router.  What was the IP range offered bythe cable modem before you put the Pix into place?
 
When you put the PIX in the middle, it will have to have assigned as it's outside IP address one of the addresses passed thorugh by your cable modem.  It should offer NAT for inside addresses, but probably does not offer DHCP, and so you will need a DHCP server for inside the PIX.  The inside connection of the PIX will need to be on that network (and it will be the default gateway handed out by the DHCP server).
If we talk a bit further we can work this out.
0
 
tinhnhoAuthor Commented:
No idea what the ip range is. I only know the ip,gateway, dns base on my old dlink router. I replace my dlink router with pix but the pix doesn't seem working.
0
 
sstone55423Commented:
Ok, I see you have the Pix config.  It is offering DHCP inside, on the range 192.1681.2 through 192.168.1.254, and is offering DNS addresses of 204.127.203.135 and 216.148.225.135 (ns1.mchsi.com, ns2.mchsi.com)  The default gateway for inside PC's will be 192.168.1.1.
Your outside IP is shown as 12.207.41.111/24 (Mediacom, Foster City, CA)
Who is your local ISP?  Is it, in fact Mediacom?  Is the cable modem in bridging mode passing the entire class C space thorugh, or was that the address at the previous place (your company?)  I think we have to change the outside IP address so that it is consistent with your local ISP's address space.
 
 
0
 
sstone55423Commented:
DO your PC's get the DHCP address?  When you do an "Ipconfig /all" what does the IP, DNS and default gateway cime up as?  Can you ping out to the pix, and then out to the cable modem, and then out to someplace outside, like 4.2.2.2?
0
 
tinhnhoAuthor Commented:
It's mediacom. My company doesn't have mediacom. I believe the cable modem in bridging mode. Those ip of my ethernet 0 in my running-config is my current ip at home.
0
 
sstone55423Commented:
Cool.  Well, the who class C - /24 thing is unusual, but I suppose you only get that one IP from the space.  
 
So, could you try to ping 192.168.1.1, and 12.207.41.111 and 12.207.41.1 and 4.2.2.2 and 204.127.203.135 and tell me what you get?  DO they all succeed?
0
 
tinhnhoAuthor Commented:
Yea, the class C/24 seems abnormal to me here too, but it's what i see from my old dlink router when it was connecting to cable modem.

I can only ping 192.168.1.1 from my client computer (192.168.1.2), the rest 12.207.41.111 and 12.207.41.1 and 4.2.2.2 and 204.127.203.135 are unsuccessful.

The attachment is my client ipconfig /all. Thanks

ipconfig.JPG
0
 
sstone55423Commented:
Well, if you can ping 192.168.1.1, then you have the right cable connected to the internal network.  I assume that the e0 is connected to the cable modem?  Do you have link lights on the cable modem, and the e0 port on the Cisco?  Can you try connecting into the Cisco, and pinging the outside 12.207.41.1, and 4.2.2.2 IP's?
 
Oh, one trick I learned from Comcast.  They tie the MAC address of the device they connect to to the IP.  SO, when you connect from the cable modem to the pix, plese power cycle the cable modem so that it will assign a new address to the new MAC address (rather than expecting the IP of the dlink).
0
 
KutyiCommented:
I believe a Cross-over cable, but you only have a choice of 2, once you get a link light you a good too go.
0
 
tinhnhoAuthor Commented:
The e0 is connected to cable modem, all lights are working.

I powered cycle the cable modem and configure e0 as "ip address dhcp setroute" instead set it with static ip earlier. This time from the  pix, I can ping 4.2.2.2 and 12.207.41.1:

pixfirewall# ping 4.2.2.2
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/32/40 ms

pixfirewall# ping 12.207.41.1
Sending 5, 100-byte ICMP Echos to 12.207.41.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms
pixfirewall# ping


But my client computer still can not ping 4.2.2.2 and 12.207.41.1 or neither has internet. I think there is a problem with my NAT. I uploaded my new running-config here, please take a look. thanks.




pix-dhcp.TXT
0
 
tinhnhoAuthor Commented:
BTW, my current setup:

cable modem--(straight thru cable)--> PIX---(straight thru cable)-->switch--->(straight thru cable)-->computers

0
 
sstone55423Commented:
Yes, I was looking at that too.  Between the NAT and the access list, that is where the problem is narrowed to.
 

access-list 111 extended permit icmp any any
access-list 111 extended permit tcp any any
access-list inside_nat0_outbound extended permit ip any 172.16.1.0 255.255.255.240
access-list outside_cryptomap_dyn_20 extended permit ip any 172.16.1.0 255.255.255.240
access-list outside_pnat_inbound extended permit ip interface outside interface inside

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 0.0.0.0 0.0.0.0

I don't see a global (outside) assignment.
 
I would expect something more like:
global (outside) 1 12.207.41.111
nat (inside) 1 192.168.1.0 255.255.255.0
 
 I will look with a fresh brain at this tomorrow.
0
 
sstone55423Commented:
> BTW, my current setup:

>cable modem--(straight thru cable)--> PIX---(straight thru cable)-->switch--->(straight thru cable)-->computers

This looks correct.  Many devices are auto MDIX, meaning they swap signals if you don't but a crossover cable where you should.  The acid test is if the devices have alink light.  If you needed a crossover cable, your links lights would not work.
Also, the diagnosis we used tested pinging to 192.168.1.1 successfully -- meaning that the cable between the switch and the router, and between the PC and the switch are correct.
The ping from the PIX outbound worked fine too, meaning the cable between the cable modem and the pix are correct.
The ping from PC to outside fails because either the NAT, or the access lost is incorrect.  Our previous comments indicate that the NAT is almost certainly the issue.
0
 
PugglewuggleCommented:
Hi tinhnho,
The commands you need to fix your config and restore internet access to the inside are:
no nat (inside) 0 access-list inside_nat0_outbound
global (outside) 1 interface
The access-lists do not affect anything since they aren't applied to any interfaces.
Everything else looks good to get you online assuming you have your IPs right and stuff.
After running these commands, if your PCs aren't online, you need to switch the straight through cable between the PIX and the switch to a crossover cable.
If I remember correctly, the PIXes' ethernet ports are actually switch ports and you are always supposed to use crossover cables when connecting like (aka same type) of ports.
Your new topology should look like this:
cable modem--(straight thru cable)--> PIX---(crossover cable)-->switch--->(straight thru cable)-->computers
BTW - the PIX is not a router as mentioned, but it does indeed route and is fine as one for small businesses and homes.
Cheers! Let me know if that helps! :)
0
 
sstone55423Commented:
I agree with PuggleWuggle, except on one point.  We have checked the cables, and those are workign fine.  Switching them will ony risk breaking it.  If we can ping through the cables (and we did) they are correct.  The link lights supports this also. The Pix 515E has Auto MDI/MDIX and so there is no need to worry about that.
I think (as I said) that putting in the global command will fix the issue.  I agree with Pugglewuggle about removing the access list (no nat (inside) 0 access-list inside_nat0_outbound).
If
0
 
sstone55423Commented:
I was starting to say, If you have further issues, we will work them out.  We are almost there.
0
 
tinhnhoAuthor Commented:
hi guys,

After removed those 2 lines, now my client computers can get online.

From my clients ocmputer, I can't ping any ip/address but I can go on internet, I assume there is an access-list that deal with icmp in the config, but can't find any or I may wrong. Any suggestions that will allow client computer to ping to outside world ?

Btw, I can ping the e0 IP address  from different WAN now.

Thanks a lot for your helps.
0
 
PugglewuggleCommented:
Good! I'm glad to hear my commands got you up and running!
The problem is that all PIX/ASA software before version 8.x doesn't allow ICMP echo-reply messages (the returns to your pings).
You need to enter this command:
icmp permit any echo-reply outside
Only then try this command if that doesn't work. If that works then don't worry about this one:
access-list outside_access_in permit icmp any interface outside echo-reply
access-group outside_access_in in interface outside
0
 
PugglewuggleCommented:
Also - you mentioned the 515e having auto MDI/MDIX ports... it might but I know the 525 doesn't because I was configuring one last week and I had to use crossover cables to connect it to my desktop switch. I assumed the 515e was the same way... although having MDI/MDIX on the switch should solve the problem even if the 515e does not.
Cheers!
0
 
tinhnhoAuthor Commented:
Again, thanks a lot for your helps. Have a great weekend.
0

Featured Post

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

  • 9
  • 8
  • 5
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now