pamiken
asked on
Configure Cisco Pix 515 as a router
Does someone know how to configure a Cisco pix 515 running firmware 6.3 as a router???
Basically, I got Wan address and a 16 block lan address from my ISP. The 16 block lan address needs to be accessible from the internet.
thansk
Basically, I got Wan address and a 16 block lan address from my ISP. The 16 block lan address needs to be accessible from the internet.
thansk
Quori
Out of curiosity, does that 'LAN' address start with 10, 192 or 172?
ASKER
No, the "lan" address is not from the private subnets. They are internet addressable. My WAN address they gave was a 216.x.x.x and the "lan" is 64.x.x.x.
Basically, the ISP says that I need to router to use the lan 16 block.
This is something new to me as we just purchased business ethernet which I guess is the newest ISP technology. Whenever I purchased T1's or DSL, the ISP usually gave me a 16 block and I use one of the "lan" addresses on my firewall. I guess with business ethernet, they take it one step back and require the customer to have a router. I was just hoping my spare pix could do it without me buying a router.
Basically, the ISP says that I need to router to use the lan 16 block.
This is something new to me as we just purchased business ethernet which I guess is the newest ISP technology. Whenever I purchased T1's or DSL, the ISP usually gave me a 16 block and I use one of the "lan" addresses on my firewall. I guess with business ethernet, they take it one step back and require the customer to have a router. I was just hoping my spare pix could do it without me buying a router.
Which means they would be wanting to run a routing protocol with their PE and your CPE?
If not, then chances are they just have the range routed via next-hop to your WAN IP and you can set it up as you have in the past.
If not, then chances are they just have the range routed via next-hop to your WAN IP and you can set it up as you have in the past.
ASKER
Correct, you want to run routing protocol on our cpe. Do you know how to configure the pix to perform routing functions??? I'm pretty sure it's doable, I just don't know the commands, whether to use ospf, rip, eigrp or multicast.
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/bafwcfg.html#wp1129432
Or I can provide you a config a bit later.
Or I can provide you a config a bit later.
ASKER
Here's the email I got from my ISP. I've changed the ips for security
Customer Gateway: 216.1.1.1
Useable Range: 216.1.1.2 - 216.1.1.14
Customer Subnet Mask: 255.255.255.240
Primary DNS Server: 3.3.3.3
Secondary DNS Server: 4.4.4.4
Keep in mind that a direct connection to the Hatteras from a computer requires a cross over ethernet cable. Remember you will need to use your own router. Please use the following IPs on the "LAN" side of your router.
WAN Subnet Mask: 255.255.255.252
Network Side: 65.1.1.1
Customer Side: 65.1.1.2
Primary DNS Server: 3.3.3.3
Secondary DNS Server: 4.4.4.4
This is what I have configured on the Pix
I have 65.1.1.2 on the external interface of the pix and 216.1.1.1 on the internal interface of the pix.
Is the only command I need
route outside 0 0 65.1.1.2 1
Customer Gateway: 216.1.1.1
Useable Range: 216.1.1.2 - 216.1.1.14
Customer Subnet Mask: 255.255.255.240
Primary DNS Server: 3.3.3.3
Secondary DNS Server: 4.4.4.4
Keep in mind that a direct connection to the Hatteras from a computer requires a cross over ethernet cable. Remember you will need to use your own router. Please use the following IPs on the "LAN" side of your router.
WAN Subnet Mask: 255.255.255.252
Network Side: 65.1.1.1
Customer Side: 65.1.1.2
Primary DNS Server: 3.3.3.3
Secondary DNS Server: 4.4.4.4
This is what I have configured on the Pix
I have 65.1.1.2 on the external interface of the pix and 216.1.1.1 on the internal interface of the pix.
Is the only command I need
route outside 0 0 65.1.1.2 1
That would be creating a default route for internet transit.
The email from the ISP doesn't cover our the 216 range is going to be advertised. From what you say, they are wanting you to run a routing protocol to advertise the range yourself. If it is routed for you in the ISP routing tables then you simply need a default route towards the ISP (though, you'd need to change it to 65.1.1.1 to specify the ISP end of the link as the next hop).
The PIX will automatically perform routing for its connected interfaces. Anything else you need it to route, it needs routes to (be it static or dynamic).
Be sure to exclude your 216 range from any NAT you have going on.
The email from the ISP doesn't cover our the 216 range is going to be advertised. From what you say, they are wanting you to run a routing protocol to advertise the range yourself. If it is routed for you in the ISP routing tables then you simply need a default route towards the ISP (though, you'd need to change it to 65.1.1.1 to specify the ISP end of the link as the next hop).
The PIX will automatically perform routing for its connected interfaces. Anything else you need it to route, it needs routes to (be it static or dynamic).
Be sure to exclude your 216 range from any NAT you have going on.
ASKER
Then do I use the command
route outside 0 0 65.1.1.2.1
then to eliminate nat, my default config has nat (inside) 0.0.0.0 0.0.0.0 0 0
should I just "no" that command out???
thanks
route outside 0 0 65.1.1.2.1
then to eliminate nat, my default config has nat (inside) 0.0.0.0 0.0.0.0 0 0
should I just "no" that command out???
thanks
ASKER
I think what will help the most is if you could provide is a config. Thanks for all your help.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.