IT_Desktop_Support
asked on
Cisco PIX and Netopia DSL Router - Can't get outside to the world
Recently our Netopia router that we've had for a few years finally quit, so AT&T came out and brought a new one.
Upon connecting the router, none of the machines can get outside to the internet. We have an older Netopia DSL that will work fine when plugged in.
Now there's a catch (as always).
We don't know the IP of the old Netopia DSL router to retrieve any configuration information if there is any and of course none of it is documented.
The company had hired a consultant to setup the Cisco PIX, so while we do have the configuration file, we don't really have a Cisco person (I know some basics, but nothing on in terms of setting up a PIX).
I don't think it's something in the PIX configuration that is stopping the DSL, but I could be wrong as it worked with the dead router and the older one.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password replaced. encrypted
passwd replaced. encrypted
hostname PIX01
domain-name domain.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_inside permit udp any any eq domain
access-list acl_inside permit tcp any any eq www
access-list acl_inside permit tcp any any eq https
access-list acl_inside permit tcp any any eq 8080
access-list acl_inside permit tcp any any eq 401
access-list acl_inside permit tcp any any eq ftp
access-list acl_inside permit tcp any any eq telnet
access-list acl_inside permit tcp any any eq aol
access-list acl_inside permit tcp any any eq 554
access-list acl_inside permit tcp any any eq 7070
access-list acl_inside remark Terminal Services/Remote Desktop
access-list acl_inside permit tcp any any eq 3389
access-list acl_inside permit tcp any any eq 10000
access-list acl_inside permit udp any any eq 10000
access-list acl_inside permit udp any any eq 4500
access-list acl_inside permit udp any any eq isakmp
access-list acl_inside permit esp any any
access-list acl_inside permit icmp any any echo
access-list acl_inside permit icmp any any echo-reply
access-list acl_inside permit icmp any any time-exceeded
access-list acl_inside permit icmp any any unreachable
access-list acl_inside permit tcp any any eq smtp
access-list acl_inside permit tcp any any eq pop3
access-list acl_outside permit icmp any any echo
access-list acl_outside permit icmp any any echo-reply
access-list acl_outside permit icmp any any time-exceeded
access-list acl_outside permit icmp any any unreachable
access-list nonat permit ip 192.168.1.0 255.255.255.0 172.24.0.0
255.255.0.0
access-list split permit ip 192.168.1.0 255.255.255.0 172.24.0.0
255.255.0.0
pager lines 24
logging on
logging timestamp
logging monitor debugging
logging buffered warnings
logging trap informational
logging history warnings
logging host inside 192.168.1.10
no logging message 602101
no logging message 106014
no logging message 106015
no logging message 106012
no logging message 106013
no logging message 106010
no logging message 106011
no logging message 500001
no logging message 106006
no logging message 603101
no logging message 500003
no logging message 106007
no logging message 500002
no logging message 500004
no logging message 106002
no logging message 604103
no logging message 106001
no logging message 604102
no logging message 604101
no logging message 403500
no logging message 604104
no logging message 106022
no logging message 106023
no logging message 106020
no logging message 106021
no logging message 106018
no logging message 106016
no logging message 106017
no logging message 305012
no logging message 305011
no logging message 305010
no logging message 305009
no logging message 614002
no logging message 614001
no logging message 405104
no logging message 401004
no logging message 608001
no logging message 303002
no logging message 607001
no logging message 400018
no logging message 400019
no logging message 400016
no logging message 400017
no logging message 400022
no logging message 400020
no logging message 400021
no logging message 400010
no logging message 400011
no logging message 400009
no logging message 400014
no logging message 400015
no logging message 400012
no logging message 400013
no logging message 302010
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304002
no logging message 304001
no logging message 409004
no logging message 304005
no logging message 409001
no logging message 409002
no logging message 304008
no logging message 609002
no logging message 610001
no logging message 609001
no logging message 108002
no logging message 406001
no logging message 406002
no logging message 302016
mtu outside 1500
mtu inside 1500
ip address outside 75.11.85.XX 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 172.24.1.1-172.24.1.254
pdm location 192.168.1.10 255.255.255.255 inside
pdm location 12.134.8.41 255.255.255.255 outside
pdm location 65.211.150.11 255.255.255.255 outside
pdm location 66.151.30.11 255.255.255.255 outside
pdm location 172.24.0.0 255.255.0.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
access-group acl_outside in interface outside
access-group acl_inside in interface inside
route outside 0.0.0.0 0.0.0.0 75.11.85.70 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 152.1.58.124 source outside
ntp server 18.145.0.30 source outside
ntp server 128.174.5.58 source outside
http server enable
http 65.211.150.11 255.255.255.255 outside
http 12.134.8.41 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.10 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
snmp-server host inside 192.168.1.10
no snmp-server location
no snmp-server contact
snmp-server community Lau695
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set RemoteVPN esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set RemoteVPN
crypto map VPNmap 10 ipsec-isakmp dynamic dynmap
crypto map VPNmap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
vpngroup group address-pool ippool
vpngroup group dns-server 192.168.1.10 206.141.192.60
vpngroup group default-domain group.com
vpngroup group split-tunnel nonat
vpngroup group idle-time 1800
vpngroup group password ********
telnet timeout 5
ssh 66.151.30.11 255.255.255.255 outside
ssh 12.134.8.41 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
terminal width 80
I changed some of the password/domain name etc.
Upon connecting the router, none of the machines can get outside to the internet. We have an older Netopia DSL that will work fine when plugged in.
Now there's a catch (as always).
We don't know the IP of the old Netopia DSL router to retrieve any configuration information if there is any and of course none of it is documented.
The company had hired a consultant to setup the Cisco PIX, so while we do have the configuration file, we don't really have a Cisco person (I know some basics, but nothing on in terms of setting up a PIX).
I don't think it's something in the PIX configuration that is stopping the DSL, but I could be wrong as it worked with the dead router and the older one.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password replaced. encrypted
passwd replaced. encrypted
hostname PIX01
domain-name domain.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_inside permit udp any any eq domain
access-list acl_inside permit tcp any any eq www
access-list acl_inside permit tcp any any eq https
access-list acl_inside permit tcp any any eq 8080
access-list acl_inside permit tcp any any eq 401
access-list acl_inside permit tcp any any eq ftp
access-list acl_inside permit tcp any any eq telnet
access-list acl_inside permit tcp any any eq aol
access-list acl_inside permit tcp any any eq 554
access-list acl_inside permit tcp any any eq 7070
access-list acl_inside remark Terminal Services/Remote Desktop
access-list acl_inside permit tcp any any eq 3389
access-list acl_inside permit tcp any any eq 10000
access-list acl_inside permit udp any any eq 10000
access-list acl_inside permit udp any any eq 4500
access-list acl_inside permit udp any any eq isakmp
access-list acl_inside permit esp any any
access-list acl_inside permit icmp any any echo
access-list acl_inside permit icmp any any echo-reply
access-list acl_inside permit icmp any any time-exceeded
access-list acl_inside permit icmp any any unreachable
access-list acl_inside permit tcp any any eq smtp
access-list acl_inside permit tcp any any eq pop3
access-list acl_outside permit icmp any any echo
access-list acl_outside permit icmp any any echo-reply
access-list acl_outside permit icmp any any time-exceeded
access-list acl_outside permit icmp any any unreachable
access-list nonat permit ip 192.168.1.0 255.255.255.0 172.24.0.0
255.255.0.0
access-list split permit ip 192.168.1.0 255.255.255.0 172.24.0.0
255.255.0.0
pager lines 24
logging on
logging timestamp
logging monitor debugging
logging buffered warnings
logging trap informational
logging history warnings
logging host inside 192.168.1.10
no logging message 602101
no logging message 106014
no logging message 106015
no logging message 106012
no logging message 106013
no logging message 106010
no logging message 106011
no logging message 500001
no logging message 106006
no logging message 603101
no logging message 500003
no logging message 106007
no logging message 500002
no logging message 500004
no logging message 106002
no logging message 604103
no logging message 106001
no logging message 604102
no logging message 604101
no logging message 403500
no logging message 604104
no logging message 106022
no logging message 106023
no logging message 106020
no logging message 106021
no logging message 106018
no logging message 106016
no logging message 106017
no logging message 305012
no logging message 305011
no logging message 305010
no logging message 305009
no logging message 614002
no logging message 614001
no logging message 405104
no logging message 401004
no logging message 608001
no logging message 303002
no logging message 607001
no logging message 400018
no logging message 400019
no logging message 400016
no logging message 400017
no logging message 400022
no logging message 400020
no logging message 400021
no logging message 400010
no logging message 400011
no logging message 400009
no logging message 400014
no logging message 400015
no logging message 400012
no logging message 400013
no logging message 302010
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304002
no logging message 304001
no logging message 409004
no logging message 304005
no logging message 409001
no logging message 409002
no logging message 304008
no logging message 609002
no logging message 610001
no logging message 609001
no logging message 108002
no logging message 406001
no logging message 406002
no logging message 302016
mtu outside 1500
mtu inside 1500
ip address outside 75.11.85.XX 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 172.24.1.1-172.24.1.254
pdm location 192.168.1.10 255.255.255.255 inside
pdm location 12.134.8.41 255.255.255.255 outside
pdm location 65.211.150.11 255.255.255.255 outside
pdm location 66.151.30.11 255.255.255.255 outside
pdm location 172.24.0.0 255.255.0.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
access-group acl_outside in interface outside
access-group acl_inside in interface inside
route outside 0.0.0.0 0.0.0.0 75.11.85.70 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 152.1.58.124 source outside
ntp server 18.145.0.30 source outside
ntp server 128.174.5.58 source outside
http server enable
http 65.211.150.11 255.255.255.255 outside
http 12.134.8.41 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.10 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
snmp-server host inside 192.168.1.10
no snmp-server location
no snmp-server contact
snmp-server community Lau695
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set RemoteVPN esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set RemoteVPN
crypto map VPNmap 10 ipsec-isakmp dynamic dynmap
crypto map VPNmap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
vpngroup group address-pool ippool
vpngroup group dns-server 192.168.1.10 206.141.192.60
vpngroup group default-domain group.com
vpngroup group split-tunnel nonat
vpngroup group idle-time 1800
vpngroup group password ********
telnet timeout 5
ssh 66.151.30.11 255.255.255.255 outside
ssh 12.134.8.41 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
terminal width 80
I changed some of the password/domain name etc.
ASKER
I believe the SP1 firewall is off on all the machines. It's probably the bridge mode that I'll have to take a look at.
Any specifics on it that I might need to know?
Thanks.
Any specifics on it that I might need to know?
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The SPI firewall is on the Netopia. Usually on by default.
What exact model Netopia?
What exact model Netopia?
ASKER
Netopia 3347-02
Also are you referring to the Netopia LAN IP or something else?
Also are you referring to the Netopia LAN IP or something else?
You also need to make sure that NAT is disabled on the Netopia
This should be specific to your situation
http://www.netopia.com/support/hardware/technotes/CQG_042.html
This should be specific to your situation
http://www.netopia.com/support/hardware/technotes/CQG_042.html
The IP Passthrough is the same as disabling SPI Firewall
http://www.netopia.com/support/hardware/technotes/CQG_022.html
http://www.netopia.com/support/hardware/technotes/CQG_022.html
ASKER
Great information! I'll let you know how it goes
How are you getting on? Any luck?
ASKER
Haven't had a chance to go back. Going back today in the evening.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Still having issues connecting outside :(
ASKER
Nevermind. I was too impatient and it's working!
Thanks so much!
Thanks so much!
Glad to hear. Hooray
ASKER
Thanks Irmoore and LANm0nk3y for the help! Irmoore pretty much nailed it on the spot, but I gave LANm0nk3y some points for giving a tad bit more detail on the route outside.
Depending on the model, you have to enable bridge mode (system bridge) and disable the SPI firewall