Cisco Pix add internet connection

Posted on 2010-09-24
Medium Priority
Last Modified: 2012-08-13
I just got Verizon FIOS internet and have tested it with a laptop plugged directly into the FIOS box.  Now I am trying to add the connection to our Cisco PIX firewall.

Currently our Cisco PIX has 4 cards in it.  Outside (our T1), Inside (our network), DMZ, and I just renamed the 4th to FIOS.  I am adding FIOS to our network and would like to just direct internet traffic out on it.  For now everything else needs to stay on Outside (Our T1) for VPNs, DMZ website, etc.  I edited the configuration for what I thought would make it work.  I tried first with a straight network cable then with a crossover and neither worked when I removed

route outside {T1 Static 5, gateway?} 1

and added

route outside {T1 Static 5, gateway?} 1
route fios {fios gateway} 1

My connection was dead after making that route change.  I kept trying to ping (Google DNS) to see if it was working and it never hit.  Below is my config.  Any advice on what I am doing wrong or how I should be doing this?  Boldfacing statement changes would be a big help.  Thanks.

PIX Version 4.2(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security50
nameif ethernet3 fios security0
enable password ----------------- encrypted
passwd -------------------- encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
no failover
failover timeout 0:00:00
failover ip address outside
failover ip address inside
failover ip address DMZ1
failover ip address fios
pager lines 24
no logging console
logging monitor warnings
no logging buffered
no logging trap
logging facility 20
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 100basetx         (tried auto also)
ip address outside (T1 Static 1)
ip address inside
ip address DMZ1 {DMZ IP}
ip address fios {FIOS Static 1}
arp timeout 14400
global (outside) 1 {T1 Static 2}-{T1 Static 2} netmask
global (fios) 1 {FIOS Static 1}-{FIOS Static 1} netmask
nat (inside) 10 0 0
nat (inside) 10 0 0
nat (inside) 1 0 0
static (inside,outside) {T1 Static 3} netmask 0 0
static (inside,DMZ1) netmask 0 0
static (DMZ1,outside) {T1 Static 4} {DMZ IP} netmask 0 0
static (inside,DMZ1) netmask 0 0
----------------------conduit permit statments------------------------------
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
no rip DMZ1 passive
no rip DMZ1 default
no rip fios passive
no rip fios default
route outside {T1 Static 5, gateway?} 1
timeout xlate 3:00:00 conn 1:00:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet timeout 15
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu fios 1500
floodguard 1
Question by:abcbev
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Expert Comment

ID: 33756381
Are you sure the connection is up and running? I'd verify that first. Enter a route for to go out fios and then try to ping Does the ping work? This will keep your network up while you troubleshoot at least.

route fios {fios gateway} 1

From the firewall to another appliance, you generally go crossover, but nowadays they generally autosense anyway and adjust accordingly.

If you perform the above and you can't ping, then the problem is elsewhere. If you do a "show interface" do you see the fios as "up up"? Can you ping the fios gateway address (the one you'd use in your route statement above)? If you do a "show arp" do you see the MAC -> IP of the gateway in your ARP table?

Author Comment

ID: 33757030
I did as you mentioned...

#1 - If I plug my laptop into the FIOS box and input the IPs, I can go online, do a speed test, whatismyip.com and it all works correctly.  

#2 - Using my T1 connection I can not ping the FIOS gateway they gave me nor the PIX address I'm setting {FIOS IP X.X.X.11}

#3 - I do see the fios gateway address in my arp table when I do "show arp" but I also see another entry with a different number and I've never inputted that number in anywayer.  that's odd.

Below is SH INTERFACE and it is UP UP.

do I need any STATIC statements to do this?

pixfirewall# sh interface
interface ethernet0 "outside" is up, line protocol is up
  Hardware is i82557 ethernet, address is 0090.272f.d63e
  IP address {T1 pix IP}, subnet mask
  MTU 1500 bytes, BW 100000 Kbit full duplex
        250994307 packets input, 1045763707 bytes, 0 no buffer
        Received 332451 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        187220980 packets output, 2973283281 bytes, 0 underruns
interface ethernet1 "inside" is up, line protocol is up
  Hardware is i82557 ethernet, address is 0090.272f.d36e
  IP address, subnet mask
  MTU 1500 bytes, BW 10000 Kbit half duplex
        236562807 packets input, 3096992540 bytes, 0 no buffer
        Received 47789645 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        250414434 packets output, 949240226 bytes, 0 underruns
interface ethernet2 "DMZ1" is up, line protocol is up
  Hardware is i82557 ethernet, address is 0090.272f.d373
  IP address {DMZ IP}, subnet mask
  MTU 1500 bytes, BW 100000 Kbit full duplex
        11686567 packets input, 3930429385 bytes, 0 no buffer
        Received 58033 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        10889489 packets output, 4001435575 bytes, 0 underruns
interface ethernet3 "fios" is up, line protocol is up
  Hardware is i82557 ethernet, address is 0090.272f.d3f4
  IP address [FIOS IP with ending number}.11, subnet mask
  MTU 1500 bytes, BW 100000 Kbit half duplex
        1495 packets input, 90764 bytes, 0 no buffer
        Received 1368 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        29 packets output, 1856 bytes, 0 underruns

Accepted Solution

guitar7man earned 2000 total points
ID: 33757216
You shouldn't need a static, but your kinda overlapping here:

global (outside) 1 {T1 Static 2}-{T1 Static 2} netmask
global (fios) 1 {FIOS Static 1}-{FIOS Static 1} netmask
nat (inside) 1 0 0

That should be fine, assuming the proper routing is in place I would imagine, but I've never done it that way.

Not sure what these are trying to do:

nat (inside) 10 0 0
nat (inside) 10 0 0

So - I'm going to assume a couple things here. The connection to FIOS from the fios interface is connected a FIOS appliance and the connection to the outside interface is via a route of some kind (ADSL, Cable, Cisco, etc).

The real issue with the firewall is the unknown. Meaning, the Internet. You cannot source route on this firewall. Meaning, you can't make routing decisions based on the source IP address (that's what a router is for) - it has to be based on the destination IP address in the firewall. What's gonna get you, is that you want to use one interface for your local Internet browsing, and leave the old one for hosting your website/VPNs/etc. For your website traffic, where does it send that return traffic? Well, according to the default route (which you'd need for browsing the Internet from your internal network) - back the FIOS interface. It would use the default route because you can't specifiy the Internet as a whole any other way. At which time, it would break state and the connection would break.

Anyway, if you're hosting a website, that needs to stay on your default route because that's where return traffic is going to go. It's the Internet. It's the unknown.

If you can connect your two ISPs on a router in front of the firewall (where it really should be to be honest), then you have FAR more control on what goes where.

Author Comment

ID: 33769122
So much of the configuration is old from previous administrators.  After speaking to our cisco contractor, he made mention that our model and firmware version can't handle two global connections.

Author Comment

ID: 34313649
The fireware version is too old to handle multiple ISPs.

Featured Post

Enroll in August's Course of the Month

August's CompTIA IT Fundamentals course includes 19 hours of basic computer principle modules and prepares you for the certification exam. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month15 days, 10 hours left to enroll

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question