• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 579
  • Last Modified:

Setting up a Cisco router and a PIX

Greetings all:

I was trying to set up a pix to pix VPN using two Cisco PIX's when I realized... I don't know how to set up the router and the PIX at my house.  Here's the scenario;

Outside World comes into my cable modem -->  Cable modem to the Cisco 1760 router --> Cisco 1760 Router to the PIX 501 --> PIX 501 to the switch that everyones computer connects to.

Now I  set my PIX up by myself as is sits and everything works fine, but I was to add the router to the equasion so I can create separate networks between the router and the PIX.  I looked up a sample config on Cisco's web site but it's obvious that I'm missing something.  I've attached both configs and was wondering if soeone out there could tell me where I went wrong.  Thanks a bunch. Cisco-PIX-501-Configuration.txt Cisco-Router-1760-Configuration.txt
0
Music_Man608
Asked:
Music_Man608
  • 6
  • 6
  • 4
10 Solutions
 
greg wardCommented:
Why would you want the cisco 1760 to sit outside of the nat?

Greg
0
 
Ernie BeekCommented:
Same question as deepdraw: why the router?

I assume you only have one public address to use. So if you want to create separate networks, why not put the pix in between them and create DMZ's?
0
 
Music_Man608Author Commented:
Isn't that how it should be?  If I'm wrong please correct me.  Thanks.
0
How to change the world, one degree at a time.

By embracing technology, we can solve even the biggest problems—including the gender gap.  By earning a degree from WGU, you have an opportunity to gain the knowledge, credentials, and experience it takes to thrive in today’s high-growth IT industry.

 
Ernie BeekCommented:
Not really (in this setup).

I have a cable modem over here with an ASA behind it. The modem is in bridged mode so the ASA gets the public address through DHCP (or if you have a static public, set it manually).
My ASA is set up for an internal network (secure) and a DMZ (less secure) for some servers. I can let them interact, but they are still separated. No need for an extra router.

But tell me, what did you have in mind by trying to add an extra router? For what do you want to use the extra network(s). Do elaborate and let's see if we can set that up with just the pix.

0
 
Music_Man608Author Commented:
I actually have this configuration at work and I wanted to try to duplicate it at home.  Mosty for practice but once I get the running, I'll move on to the VPN.  Did yousee the files I sent?
0
 
Ernie BeekCommented:
I did, but the question remains: do you only have one public IP? How does that work with your cable modem, is it giving through DHCP or do you define it statically?

I assume at work there's a router, then the firewall but no modem. Am I correct in assuming that?
0
 
greg wardCommented:
with the configuration you have there is double nat.
If we knew what you are trying to do we might be able to provide some insight.

If you want to learn cisco i would advise you install cme on the cisco router and buy yourself a 7940 and get a sip trunk. Great way to learn voice and get cheap calls.

Greg
0
 
Ernie BeekCommented:
Or have a look at GNS3: http://www.gns3.net/
0
 
Music_Man608Author Commented:
I'm sorry, got side tracked.  Yes I have one public static IP address from my ISP and the cable modem is in bridge mode so right now the PIX has the static IP address.  Not really looking to do voice right now.  As it stands I just want to make the router first (after the cable modem) then the PIX.  All of the workstations on the network would point at the insid interface of the PIX as their default gateway.  Am I leaving anything out?  This would be step one.  After I get the computers on the network talking to the Internet using this config, I'll move on to step 2.  I have actually done this before and I'm kicking myself because I can't remember how I set it up.
0
 
greg wardCommented:


Nat half configured on router

interface Ethernet0/0
 bandwidth 10000000
 ip address 24.154.99.20 255.255.255.0
 ip nat outside
 half-duplex
!
interface FastEthernet0/0
 ip address 10.42.42.1 255.255.255.0
 ip nat inside
 speed 100
 full-duplex

to finish it.
ip nat inside source list 1 interface eth0 overload

Greg
0
 
Ernie BeekCommented:
@deepdraw: the modem is in bridge mode, so the outside of the router needs to be a dhcp client.......

Have a look at: http://www.cisco.com/en/US/tech/tk86/tk89/technologies_configuration_example09186a0080094be1.shtml
And see if that helps.
0
 
Music_Man608Author Commented:
Just out of curiousity, why would I want to set the interface up to use DHCP when I have a public static IP address?  Just wondering....
0
 
Ernie BeekCommented:
Ehr, misread? Normally when a modem is bridging and it has only one address, that is acquired through dhcp.
Atleast, thats how it works over here......

well, how was your pix set up on the outside before you put in the router?
0
 
Music_Man608Author Commented:
I added the NAT statement, still didn't work.  I can ping from the pix to both interfaces on the router, but I can only ping the outside interface of the PIX from the router if that helps.  I can however ping the directly connected interface.  Thanks again for your help.... sorry to be a pest.
0
 
greg wardCommented:
Im not hot on pix
Why do you expect to be able to ping the inside ip of a pix?
Surely this is supposed to be secure and blocking access to the inside interface from the interent.
Does it allow devices on the inside access to the internet?


!760                        1760                         pix
Static ip                   Nat                          Nat * 2?
24.154.99.20 >> 10.42.42.0/24  >>  192.168.35.0



ip address outside 10.42.42.2 255.255.255.0
ip address inside 192.168.35.1 255.255.255.0
global (outside) 1 10.42.42.200-10.42.42.254
nat (inside) 1 0.0.0.0 0.0.0.0 0 0  < i dont get this

As far as i know you can only nat once.

So can we confirm the cisco router 1760 is connected to the internet and working?
ie can ping 4.2.2.1
If this was configured the other way round everyone would be protected by the pix
the pix would be able to ping the 1760 and the 1760 would be able to ping the pix.

Please tell me what feature you want with this configuration.

Did you answer this question from erniebeek

I assume at work there's a router, then the firewall but no modem. Am I correct in assuming that?    
 
If there is no modem at work, the the router has been bridged and the isa would have the static ip passed to it, i think.

 
   

Greg
0
 
Music_Man608Author Commented:
Hello again all:

Yes, there is a router at work, then the PIX.  I also have a dsl modem at work that plugs into the PIX as well.  At work I have a PIX520 which accepts up to six interfaces.  However at home I'm actually setting up labs to have several networks so I can tinker with them, that's mostly why I'm doing this.  Believe it or not, I actually do this for a living but I'm so rusty at it.  At my job my focus is usually on other things but the time is coming soon where I'm going to have to be able to choose the best solution and set it up.  As it stands, the router will work if I turn it on.  As for the PIX, I have the original config on it right now which is why I can get out to the internet.  When you wonderful people respond to me, I take your info and copy it to a file.  I then switch everything around to include the router and I try applying the new answer and tinkering a bit to see if I can get it working.  So far it has not.  As for the nat (inside) 1 0.0.0.0 0.0.0.0 0 0  statement, I thought that was a NAT statement simply allowing address to flow through the PIX.  Without it the PIX won't let anything through (I think).  Anyways, that's where I'm at.  I've attached my current PIX configuration that works but I removed passwords and changed a few addresses for obvious reasons.  Feel free to look at it.  Once again and as always thank all of you for your help, I certainly do appreciate it. PIX.TXT
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 6
  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now