Abi_003
asked on
PIX515e and New E10 Internet Pipe
We currently have two T1s (load balanced) connections coming in to our Pix firewall and we are planning to upgrade the internet pipe to fiber E10. Our provider told us that we can keep the same IP range and stuff for the new line since it is the same carrier. My question is: Do I have to make any changes to the PIX firewall in order to make this new connection work or it is just matter of unplug the old WAN cable from the T1 to the PIX and plug the new E10 cable. My whole concern is do I have to make any kind of network changes or additional configuration to my Pix firewall. Please Advice.
Be aware , the PIX only does 10/100 on the interfaces. If all IP remains unchanged after the swap, then just unplug one cable and plug in the other.
ASKER
E10 is a 10 Mbps so we should be good then... PIX will automatically picks up the new bandwidth?
ASKER
MinoDC: T1 cables goes to a regular linksys hub then from the hub its going to the PIX firewall..
The T1 cable is not ethernet, you need CSD.DSU on a router with annother ethernet port to properly route a T1 line... There must be a router or an ISP modem or something that routes out to the telco... ARe you using Metro E by any chance?
ASKER
T1 line is coming in to a Cisco router which was provied by the ISP from the router there is a CAT5 cable going into the liksys hub then from the hub its goes to the pix firewall network interface
Then as long as the ips delivered through the router change... then just make sure you haven't hard coded speed on the interface that shouldn't be there (i.e. duplex rate). Other than that, you shouldn't have to change anything.
ASKER
do you know where i can check that on Cisco ASDM ?
Sorry about the bad english on my last post... As long as the Ips in the router DONT change, then you are ok.
Check any interface settings in the ASDM in CONFIGURATION->INTERFACES and EDIT the outside interface. Click on the COnfig hardware properties button to see the settings.
Check any interface settings in the ASDM in CONFIGURATION->INTERFACES and EDIT the outside interface. Click on the COnfig hardware properties button to see the settings.
ASKER
ok.. this is what i see on the 'outside' interface properties
Hardwre Port: ethernet0
Media Type: RJ45
Duplex: Auto
Speed: Auto
Hardwre Port: ethernet0
Media Type: RJ45
Duplex: Auto
Speed: Auto
Then it should work fine. You can probably tweak performance a bit by hard coding the FULL Duplex entry in the interface. But thats optional.
Based on what you wrote in your question, and what you wrote in the answers, you need not make any changes or configure on your pix.
ASKER
thanks for your responses guys.. i'll try this next week.. hopefully things will be smooth as i think.. (matter of unplug the old T1 cable and plug the new e10 cable ) and call it a day.. lets see..
ASKER
another quick question: do i have to shutdown the pix in order to do this change or i can do this on the fly... for an example while the pix is on unplus the old t1 cable and plus the new e10 cable... please advice..
ASKER
any info on this?
Sorry, about the delay.
You can safely plug and unplug any network connection on the appliance.... So long as there is no change in IPs as stated, the port should come up in 30 seconds or so.... Worse case is that you may have to clear out the arp "CLEAR ARP" so that it finds the new router's mac....
You can safely plug and unplug any network connection on the appliance.... So long as there is no change in IPs as stated, the port should come up in 30 seconds or so.... Worse case is that you may have to clear out the arp "CLEAR ARP" so that it finds the new router's mac....
ASKER
ok.. thanks .. we will have the same IPs but in addition we will receive more static IPs from our ISP for our web servers... if this is the case.. what should i do...
Is your IP's subnet mask changing? If so then you have to adjust the mask on the outside interface. If you are getting just a random block of addresses, different from your current ips, then there is nothing to do. You can just start assigning them to Statics and/or pools...
ASKER
i just reveived an email from our ISP saying that we are receiving a secondary IP block which is seperate from our exsiting one.. (exsisting one is 216.x..x.x/26 and the secondary one is 74.x.x.x/27) now they want me to add this secondary blcok into my pix firewall... how do i do this?
ASKER
I am not certain as if my Firewall (PIX-515E)supports secondary IP blocks... can you please tell if my firewall can support this... or what is the best option to go with...
With regards to the Cisco 1811 router that my ISP will provide for this service, the secondary block can be configured as:
SECONADY
interface FastEthernet0
ip address 216.x.x.x 255.255.255.192
ip address 74.x.x.x 255.255.255.224 secondary
OR
DEFAULT ROUTE
ip route 74.x.x.x255.255.255.224 (FIREWALL IP?????)
With regards to the Cisco 1811 router that my ISP will provide for this service, the secondary block can be configured as:
SECONADY
interface FastEthernet0
ip address 216.x.x.x 255.255.255.192
ip address 74.x.x.x 255.255.255.224 secondary
OR
DEFAULT ROUTE
ip route 74.x.x.x255.255.255.224 (FIREWALL IP?????)
ASKER
which one should i choice to match my case??? please help
ASKER
any update on this please?
ASKER
MikeKane: any update on this, please?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
So if we were to assume that this network topology exists, you have no need to change anything.