Basic network problem/question: PIX 506E

I haven't been checking this group all that often lately so if you reply and don't hear back, well what can I say, you get what you pay for.

Problem one. Your router config. Your outside address should be on a separate subnet then your inside. The 5 IPs you mention don't fit into a subnet, there should be more or less then 5.

You can use any private subnet between the router and pix just make sure the default gateway on the pix is the IP on the inside of the router, that there is a route in the router for your public subnet pointing to the IP on the "outside" of the pix, and that the NAT on the pix is using your public subnet. This all comes back to your subnet problem.

A typical system would look like this (I'm making up all the IP addresses).

DSL interface on the router has an address of with a mask of (the router at the other end of the T1 would be

You can set the router's default gateway as either the DSL interface or I like to use the far end address but that's just me. The router already knows that this subnet is on the DSL interface since it is directly connected.

Assume that your public subnet is or through The 0 and 8 are your network and broadcast addresses and you can't use them, this leave you with 6 usable IPs.

Set you router ethernet port with an IP of

Put a static route in the router so that goes to (the "outside" address of the PIX).

The PIX will have an; outside inside default gateway

You can now use your entire public subnet for NAT/PAT within the PIX.

The config gets a little easier if you don't mind using a public IP on the router ethernet and the PIX outside. In this case the router ethernet would be and you don't need a static route in the router since the subnet is now directly connected. The PIX would be; outside inside default gateway

Thus concluding today's class of IP 101.


Reply to
Loading thread data ...

I'm setting up a pix 506E to do firewall, NAT, and VPN for my office. I am trying to work in stages, getting the network functional in this order:

Stage 1) Basic inside to outside services: http, ssh, etc. from inside out. Stage 2) Incoming services: http, https, and ssh from the outside to the right place inside. Stage 3) VPN. People working at home can work as if they are in the office.

Here is the network:

internet | perimeter router w/DSL (cisco 2801) | PIX 506E | internal network

We have 5 static IP's from SBC: xx.xx.xx.98 thru xx.xx.xx.102.

I got a basic configuration for stage 1 working this way:

router outside IP: xx.xx.xx.102 router inside IP: xx.xx.xx.98 PIX outside IP: xx.xx.xx.99 PIX inside IP:

First problem: I don't want to burn 2 of my public IP addresses on the little subnet between the router and the PIX. I originally used and but I had problems getting things working. From the PIX, I could not ping any outside internet addresses that way. With the public IP's, I can.

So, just working on stage 1 for the moment: what do I need to do, either in the router or the PIX, so I can use private IP numbers on the network between the router and the PIX?

Here is the PIX configuration:

PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password ******** encrypted passwd ******** encrypted hostname pixfw domain-name ********.*** clock timezone CT -6 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names object-group icmp-type icmp_traffic icmp-object echo-reply icmp-object source-quench icmp-object unreachable icmp-object time-exceeded access-list PERMIT_IN permit icmp any any object-group icmp_traffic pager lines 68 icmp permit any outside icmp permit any inside mtu outside 1500 mtu inside 1500 ip address outside xx.xx.xx.98 ip address inside ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 xx.xx.xx.98 nat (inside) 1 0 0 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 terminal width 80 Cryptochecksum:*****

Reply to
John Scholvin

OK. I misstated the case.

What I think I have with my SBC DSL is a /29 block: xx.xx.xx.96 through ..103. I know the .96 and the .103 are unusable by me (network & broadcast). So I think I get .97 through .102, a total of 6 addresses.

But that is in fact all I "get" from SBC. There is no specific public address for the DSL on a different subnet.

Googling around a bit, it sounds like this is the way SBC does business for this kind of account:

formatting link
It looks like I have to play some kind of game with the DSL interface on the router to deal with this. So now I'm really confused. The way I had it set up, it seemed to work. From the router, I could ping the rest of the world, and from the rest of the world, I could ping the 3 public IP addresses I was using on the router and pix.

Any advice?

Reply to
John Scholvin

What function beside PPPOE is the 2801 performing?

The PIX506E supports PPPOE

Reply to

You might see if you can configure the 2801 in bridging mode; ie the PIX would be configured as a PPPOE client and outbound traffic would be bridged thru the 2821.

You other options owuld be to get an external ADSL modem and connect it directly to the PIX outside interface

Reply to

Physical ADSL interface via WIC-1ADSL.

Reply to
John Scholvin






Reply to
complanet Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.