Solved

Cisco PIX and Netopia DSL Router - Can't get outside to the world

Posted on 2009-05-09
15
959 Views
Last Modified: 2013-12-14
Recently our Netopia router that we've had for a few years finally quit, so AT&T came out and brought a new one.

Upon connecting the router, none of the machines can get outside to the internet.  We have an older Netopia DSL that will work fine when plugged in.

Now there's a catch (as always).

We don't know the IP of the old Netopia DSL router to retrieve any configuration information if there is any and of course none of it is documented.

The company had hired a consultant to setup the Cisco PIX, so while we do have the configuration file, we don't really have a Cisco person (I know some basics, but nothing on in terms of setting up a PIX).

I don't think it's something in the PIX configuration that is stopping the DSL, but I could be wrong as it worked with the dead router and the older one.



PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password replaced. encrypted
passwd replaced. encrypted
hostname PIX01
domain-name domain.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_inside permit udp any any eq domain
access-list acl_inside permit tcp any any eq www
access-list acl_inside permit tcp any any eq https
access-list acl_inside permit tcp any any eq 8080
access-list acl_inside permit tcp any any eq 401
access-list acl_inside permit tcp any any eq ftp
access-list acl_inside permit tcp any any eq telnet
access-list acl_inside permit tcp any any eq aol
access-list acl_inside permit tcp any any eq 554
access-list acl_inside permit tcp any any eq 7070
access-list acl_inside remark Terminal Services/Remote Desktop
access-list acl_inside permit tcp any any eq 3389
access-list acl_inside permit tcp any any eq 10000
access-list acl_inside permit udp any any eq 10000
access-list acl_inside permit udp any any eq 4500
access-list acl_inside permit udp any any eq isakmp
access-list acl_inside permit esp any any
access-list acl_inside permit icmp any any echo
access-list acl_inside permit icmp any any echo-reply
access-list acl_inside permit icmp any any time-exceeded
access-list acl_inside permit icmp any any unreachable
access-list acl_inside permit tcp any any eq smtp
access-list acl_inside permit tcp any any eq pop3
access-list acl_outside permit icmp any any echo
access-list acl_outside permit icmp any any echo-reply
access-list acl_outside permit icmp any any time-exceeded
access-list acl_outside permit icmp any any unreachable
access-list nonat permit ip 192.168.1.0 255.255.255.0 172.24.0.0
255.255.0.0
access-list split permit ip 192.168.1.0 255.255.255.0 172.24.0.0
255.255.0.0
pager lines 24
logging on
logging timestamp
logging monitor debugging
logging buffered warnings
logging trap informational
logging history warnings
logging host inside 192.168.1.10
no logging message 602101
no logging message 106014
no logging message 106015
no logging message 106012
no logging message 106013
no logging message 106010
no logging message 106011
no logging message 500001
no logging message 106006
no logging message 603101
no logging message 500003
no logging message 106007
no logging message 500002
no logging message 500004
no logging message 106002
no logging message 604103
no logging message 106001
no logging message 604102
no logging message 604101
no logging message 403500
no logging message 604104
no logging message 106022
no logging message 106023
no logging message 106020
no logging message 106021
no logging message 106018
no logging message 106016
no logging message 106017
no logging message 305012
no logging message 305011
no logging message 305010
no logging message 305009
no logging message 614002
no logging message 614001
no logging message 405104
no logging message 401004
no logging message 608001
no logging message 303002
no logging message 607001
no logging message 400018
no logging message 400019
no logging message 400016
no logging message 400017
no logging message 400022
no logging message 400020
no logging message 400021
no logging message 400010
no logging message 400011
no logging message 400009
no logging message 400014
no logging message 400015
no logging message 400012
no logging message 400013
no logging message 302010
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304002
no logging message 304001
no logging message 409004
no logging message 304005
no logging message 409001
no logging message 409002
no logging message 304008
no logging message 609002
no logging message 610001
no logging message 609001
no logging message 108002
no logging message 406001
no logging message 406002
no logging message 302016
mtu outside 1500
mtu inside 1500
ip address outside 75.11.85.XX 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 172.24.1.1-172.24.1.254
pdm location 192.168.1.10 255.255.255.255 inside
pdm location 12.134.8.41 255.255.255.255 outside
pdm location 65.211.150.11 255.255.255.255 outside
pdm location 66.151.30.11 255.255.255.255 outside
pdm location 172.24.0.0 255.255.0.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
access-group acl_outside in interface outside
access-group acl_inside in interface inside
route outside 0.0.0.0 0.0.0.0 75.11.85.70 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 152.1.58.124 source outside
ntp server 18.145.0.30 source outside
ntp server 128.174.5.58 source outside
http server enable
http 65.211.150.11 255.255.255.255 outside
http 12.134.8.41 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.10 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
snmp-server host inside 192.168.1.10
no snmp-server location
no snmp-server contact
snmp-server community Lau695
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set RemoteVPN esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set RemoteVPN
crypto map VPNmap 10 ipsec-isakmp dynamic dynmap
crypto map VPNmap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
vpngroup group address-pool ippool
vpngroup group dns-server 192.168.1.10 206.141.192.60
vpngroup group default-domain group.com
vpngroup group split-tunnel nonat
vpngroup group idle-time 1800
vpngroup group password ********
telnet timeout 5
ssh 66.151.30.11 255.255.255.255 outside
ssh 12.134.8.41 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
terminal width 80


I changed some of the password/domain name etc.
0
Comment
Question by:IT_Desktop_Support
  • 7
  • 6
  • 2
15 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 24346482
You need to setup the Netopia in Bridge mode. You should be able to access its web page at http://192.168.1.254
Depending on the model, you have to enable bridge mode (system bridge) and disable the SPI firewall
0
 
LVL 1

Author Comment

by:IT_Desktop_Support
ID: 24346484
I believe the SP1 firewall is off on all the machines.  It's probably the bridge mode that I'll have to take a look at.

Any specifics on it that I might need to know?

Thanks.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 475 total points
ID: 24346485
Oops, too soon. You do not need to set the Netopia in bridge mode, but you have to make sure that the LAN IP address is set to the same IP as your default gateway (75.11.85.70), and the SPI firewall is turned off
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24346490
The SPI firewall is on the Netopia. Usually on by default.
What exact model Netopia?
0
 
LVL 1

Author Comment

by:IT_Desktop_Support
ID: 24346492
Netopia 3347-02

Also are you referring to the Netopia LAN IP or something else?


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24346499
You also need to make sure that NAT is disabled on the Netopia
This should be specific to your situation
http://www.netopia.com/support/hardware/technotes/CQG_042.html
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24346501
The IP Passthrough is the same as disabling SPI Firewall
http://www.netopia.com/support/hardware/technotes/CQG_022.html
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:IT_Desktop_Support
ID: 24346547
Great information!  I'll let you know how it goes
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24354074
How are you getting on? Any luck?
0
 
LVL 1

Author Comment

by:IT_Desktop_Support
ID: 24355875
Haven't had a chance to go back.  Going back today in the evening.
0
 
LVL 7

Assisted Solution

by:LANm0nk3y
LANm0nk3y earned 25 total points
ID: 24355966
route outside 0.0.0.0 0.0.0.0 75.11.85.70<--- this is statically routing to 75.11.85.70 (Netopia IP address.)
As long as your new netopia ip address is 75.11.85.70 255.255.255.248, then it should be pretty seamless.  Also turn off the NAT on the netopia, otherwise you'd be doubling natting.
0
 
LVL 1

Author Comment

by:IT_Desktop_Support
ID: 24359773
Still having issues connecting outside :(
0
 
LVL 1

Author Comment

by:IT_Desktop_Support
ID: 24359778
Nevermind.  I was too impatient and it's working!

Thanks so much!
0
 
LVL 7

Expert Comment

by:LANm0nk3y
ID: 24359782
Glad to hear. Hooray
0
 
LVL 1

Author Closing Comment

by:IT_Desktop_Support
ID: 31579843
Thanks Irmoore and LANm0nk3y for the help!  Irmoore pretty much nailed it on the spot, but I gave LANm0nk3y some points for giving a tad bit more detail on the route outside.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now