Solved

Cisco Pix add internet connection

Posted on 2010-09-24
5
542 Views
Last Modified: 2012-08-13
I just got Verizon FIOS internet and have tested it with a laptop plugged directly into the FIOS box.  Now I am trying to add the connection to our Cisco PIX firewall.

Currently our Cisco PIX has 4 cards in it.  Outside (our T1), Inside (our network), DMZ, and I just renamed the 4th to FIOS.  I am adding FIOS to our network and would like to just direct internet traffic out on it.  For now everything else needs to stay on Outside (Our T1) for VPNs, DMZ website, etc.  I edited the configuration for what I thought would make it work.  I tried first with a straight network cable then with a crossover and neither worked when I removed

route outside 0.0.0.0 0.0.0.0 {T1 Static 5, gateway?} 1

and added

route outside 10.180.0.0 0.0.0.0 {T1 Static 5, gateway?} 1
route fios 0.0.0.0 0.0.0.0 {fios gateway} 1


My connection was dead after making that route change.  I kept trying to ping 8.8.8.8 (Google DNS) to see if it was working and it never hit.  Below is my config.  Any advice on what I am doing wrong or how I should be doing this?  Boldfacing statement changes would be a big help.  Thanks.

PIX Version 4.2(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security50
nameif ethernet3 fios security0
enable password ----------------- encrypted
passwd -------------------- encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
names
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address DMZ1 0.0.0.0
failover ip address fios 0.0.0.0
pager lines 24
no logging console
logging monitor warnings
no logging buffered
no logging trap
logging facility 20
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 100basetx         (tried auto also)
ip address outside (T1 Static 1) 255.255.255.240
ip address inside 10.180.1.9 255.255.0.0
ip address DMZ1 {DMZ IP} 255.255.255.0
ip address fios {FIOS Static 1} 255.255.255.0
arp timeout 14400
global (outside) 1 {T1 Static 2}-{T1 Static 2} netmask 255.255.255.240
global (fios) 1 {FIOS Static 1}-{FIOS Static 1} netmask 255.255.255.0
nat (inside) 10 255.255.0.0 255.255.0.0 0 0
nat (inside) 10 255.255.255.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) {T1 Static 3} 10.180.1.10 netmask 255.255.255.255 0 0
static (inside,DMZ1) 10.180.1.0 10.180.1.0 netmask 255.255.255.0 0 0
static (DMZ1,outside) {T1 Static 4} {DMZ IP} netmask 255.255.255.255 0 0
static (inside,DMZ1) 10.180.0.0 10.180.0.0 netmask 255.255.0.0 0 0
----------------------conduit permit statments------------------------------
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
no rip DMZ1 passive
no rip DMZ1 default
no rip fios passive
no rip fios default
route outside 0.0.0.0 0.0.0.0 {T1 Static 5, gateway?} 1
timeout xlate 3:00:00 conn 1:00:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet 10.180.1.75 255.255.255.255
telnet 10.180.1.0 255.255.255.0
telnet 10.180.0.0 255.255.0.0
telnet timeout 15
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu fios 1500
floodguard 1
Cryptochecksum:---------------------------------
pixfirewall#
0
Comment
Question by:abcbev
  • 3
  • 2
5 Comments
 
LVL 3

Expert Comment

by:guitar7man
Comment Utility
Are you sure the connection is up and running? I'd verify that first. Enter a route for 4.2.2.2 to go out fios and then try to ping 4.2.2.2. Does the ping work? This will keep your network up while you troubleshoot at least.

route fios 4.2.2.2 255.255.255.255 {fios gateway} 1

From the firewall to another appliance, you generally go crossover, but nowadays they generally autosense anyway and adjust accordingly.

If you perform the above and you can't ping, then the problem is elsewhere. If you do a "show interface" do you see the fios as "up up"? Can you ping the fios gateway address (the one you'd use in your route statement above)? If you do a "show arp" do you see the MAC -> IP of the gateway in your ARP table?
0
 

Author Comment

by:abcbev
Comment Utility
I did as you mentioned...

#1 - If I plug my laptop into the FIOS box and input the IPs, I can go online, do a speed test, whatismyip.com and it all works correctly.  

#2 - Using my T1 connection I can not ping the FIOS gateway they gave me nor the PIX address I'm setting {FIOS IP X.X.X.11}

#3 - I do see the fios gateway address in my arp table when I do "show arp" but I also see another entry with a different number and I've never inputted that number in anywayer.  that's odd.

Below is SH INTERFACE and it is UP UP.


do I need any STATIC statements to do this?


pixfirewall# sh interface
interface ethernet0 "outside" is up, line protocol is up
  Hardware is i82557 ethernet, address is 0090.272f.d63e
  IP address {T1 pix IP}, subnet mask 255.255.255.240
  MTU 1500 bytes, BW 100000 Kbit full duplex
        250994307 packets input, 1045763707 bytes, 0 no buffer
        Received 332451 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        187220980 packets output, 2973283281 bytes, 0 underruns
interface ethernet1 "inside" is up, line protocol is up
  Hardware is i82557 ethernet, address is 0090.272f.d36e
  IP address 10.180.1.9, subnet mask 255.255.0.0
  MTU 1500 bytes, BW 10000 Kbit half duplex
        236562807 packets input, 3096992540 bytes, 0 no buffer
        Received 47789645 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        250414434 packets output, 949240226 bytes, 0 underruns
interface ethernet2 "DMZ1" is up, line protocol is up
  Hardware is i82557 ethernet, address is 0090.272f.d373
  IP address {DMZ IP}, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 100000 Kbit full duplex
        11686567 packets input, 3930429385 bytes, 0 no buffer
        Received 58033 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        10889489 packets output, 4001435575 bytes, 0 underruns
interface ethernet3 "fios" is up, line protocol is up
  Hardware is i82557 ethernet, address is 0090.272f.d3f4
  IP address [FIOS IP with ending number}.11, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 100000 Kbit half duplex
        1495 packets input, 90764 bytes, 0 no buffer
        Received 1368 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        29 packets output, 1856 bytes, 0 underruns
pixfirewall#
0
 
LVL 3

Accepted Solution

by:
guitar7man earned 500 total points
Comment Utility
You shouldn't need a static, but your kinda overlapping here:

global (outside) 1 {T1 Static 2}-{T1 Static 2} netmask 255.255.255.240
global (fios) 1 {FIOS Static 1}-{FIOS Static 1} netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

That should be fine, assuming the proper routing is in place I would imagine, but I've never done it that way.

Not sure what these are trying to do:

nat (inside) 10 255.255.0.0 255.255.0.0 0 0
nat (inside) 10 255.255.255.0 255.255.255.0 0 0

So - I'm going to assume a couple things here. The connection to FIOS from the fios interface is connected a FIOS appliance and the connection to the outside interface is via a route of some kind (ADSL, Cable, Cisco, etc).

The real issue with the firewall is the unknown. Meaning, the Internet. You cannot source route on this firewall. Meaning, you can't make routing decisions based on the source IP address (that's what a router is for) - it has to be based on the destination IP address in the firewall. What's gonna get you, is that you want to use one interface for your local Internet browsing, and leave the old one for hosting your website/VPNs/etc. For your website traffic, where does it send that return traffic? Well, according to the default route (which you'd need for browsing the Internet from your internal network) - back the FIOS interface. It would use the default route because you can't specifiy the Internet as a whole any other way. At which time, it would break state and the connection would break.

Anyway, if you're hosting a website, that needs to stay on your default route because that's where return traffic is going to go. It's the Internet. It's the unknown.

If you can connect your two ISPs on a router in front of the firewall (where it really should be to be honest), then you have FAR more control on what goes where.
0
 

Author Comment

by:abcbev
Comment Utility
So much of the configuration is old from previous administrators.  After speaking to our cisco contractor, he made mention that our model and firmware version can't handle two global connections.
0
 

Author Comment

by:abcbev
Comment Utility
The fireware version is too old to handle multiple ISPs.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now