Cisco Pix 501

I am an experienced Net Admin, but this thing is killing me. Can't get it to work at all. I do have a couple of brain cells and have RTFM.

Trying to plug it into a simple system between a Comcast SMC 8013wg router/switch and a Netgear FSM7352s managed switch. Ultimate goal is to make a VPN to another company. Right now I just want to make it allow traffic to pass and play nice on the network.

DHCP is being handled by windows 2003 server with AD. DHCP turned off on SMC 8013 router. The Pix has 192.168.1.1 address. Internal network is

10.1.10.x.

If I change the internal network on the Pix (give it an IP of say

10.1.10.200) , it tells me "can't put on same network". It gives me errors on DHCP even though I turn it off on the Pix. Latest OS on Pix.

Anyone out there that can help this frustrated IT guy?

Thanks

Reply to
taipan
Loading thread data ...

Hi Taipan,

You may also wish to investigate the SMC Networks Forum:

formatting link
as well as the Netgear Forum:

formatting link
and finally the Comcast Support Forums:

formatting link
Sincerely,

Brad Reese Cisco Technical Forums

formatting link

Reply to
www.BradReese.Com

Forgive me if this seems rude, but WTF do any of those have to do with configuring a 501 Pix?

Reply to
taipan

Were you in config mode when trying to enter your changes?

To begin, your prompt should look like: pixfirewall#

Brad Reese Cisco Repair

formatting link

Reply to
www.BradReese.Com

PDM or COM console? been reset to factory defaults so many times it is not funny :-(

Yes I know what pixfirewall# (config) is.

My (stupid) assumption was that the pix was smart enough to figure out the outgoing gateway and the internal network. It seems stuck on 192.168.1.1. External IP (static) is 68.x.x.x. Internal network is 10.1.10.x. That's it. Just want to make it work. Just pass traffic. Have others to help on a VPN tunnel.

Reply to
taipan

can you post your config and the exact error messages

M
Reply to
mak

Is the windows server "inside" or "outside" the PIX?

Right. But the fact that you tried suggests you were trying to do something like a "transparent firewall", which the PIX 501 is not able to do (you need PIX 7.x for transparent firewall and PIX 7.x is not supported on the 501.)

Based on your references to DHCP and your attempt to put both interfaces into the same network, I suspect that what you are trying to do is have hosts inside the 501 given their addresses by a DHCP server outside of the 501 (the windows 2003 server). If that is the case, then you probably want to use the dhcprelay command,

formatting link
But if you are doing this, then you have to be careful because the only way for a DHCP address handed in from outside to be useful inside would be if the PIX translates the addresses (temporary statics??), or if the addresses handed in are in an IP range which is not the same as the IP range assigned to the inside interface -and- there is a "route" statement pointing that IP range to an inside router that is fronting for the inside hosts (which are in a different IP range) -and- if there is a nat or static statment preserving the IPs between the inside and the outside. I've never tried dhcprelay myself so I don't know how exactly the PIX handles the IP range issues.

If your dhcpd setup references an IP range that overlaps the outside interface (or the inside IP), then even if you do not have "dhcpd enable" then the PIX will complain about the address overlap [if I recall correctly.] A few 'no dhcpd' commands will clear that up.

Reply to
Walter Roberson

Thank you. That was very helpful. To give you a bit more data: SMC router has static IP's on the LAN and WAN sides. The Lan IP is

10.1.10.1

I set the 2k3 server up for DNS and DHCP.

Therefore, I don't need DHCP in either the SMC router or the pix. DHCP range is set for 10.1.10.10 to 10.1.10.100

The 2k3 server will be behind the PIX. Cable modem/router > Pix > managed switch > server

So what I want to do is get the PIX on the internal network by assigning it an IP like 10.1.10.200 and not use DHCP on it. This is where I am stuck. I cannot get it to take the IP address and simply pass traffic so I know it works.

To answer your question on DHCP, the 2k3 server will only give out IP's within the local network.

Once that's done I can add the 6 IP's for the VPN (actually that was very easy). Actually, I am not too concerned about the firewall aspects of the PIX. (tho' they are nice) I bought it for the VPN capabilities. I believe my biggest headaches in the end will be punching holes in the PIX firewall so I can remotely admin the server.

I could turn off DHCP on the server and let the Pix do it if needed. I prefer to let the server handle it. But I 'm willing to change :-)

Thanks for any tips you can provide!

formatting link

Reply to
taipan

Reply to
taipan

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.