I currently have thie type of setup:
Internet --> Cisco 827 --> PIX 506e --> Catalyst 2950 --> LAN
I need to configure a perimeter router with a ADSL WIC. It will look like this:
Internet --> Cisco 1751 --> PIX 506e --> Catalyst 2950 --> LAN
My problem is that I currently have the Cisco 827 briging the ADSL signal and the PIX outside interface is assigned the public IP. I have tried everything to get the 1751 to bridge and from what I have read it looks like I will have to assign the public IP to the ADSL WIC interface and then give the outside PIX interface an inside address.
Does anyone have any ideas how to best achieve this as I currently have static tunnels and VPN clients configured on the PIX and the thought of totally reconfiguring the PIX is not too apealing.
Here is my current PIX config.
PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password v914w4bB4kaU0ypy encrypted passwd OZk0LVfY42vMqD6A encrypted hostname pixfirewall domain-name ciscopix.com clock timezone EST -5 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.1.4 Athlon access-list PROTECT permit ip 192.168.1.0 255.255.255.0 192.168.0.0
255.255.255.0 access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0 access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list 100 deny icmp any any echo access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any unreachable access-list 100 permit icmp any any time-exceeded access-list 100 permit udp any eq domain any pager lines 24 logging on logging timestamp logging trap warnings logging history warnings logging host inside Athlon format emblem icmp permit host 12.xxx.xxx.xxx outside icmp deny any outside mtu outside 1500 mtu inside 1500 ip address outside 65.xxx.xxx.xxx 255.255.255.xxx ip address inside 192.168.1.1 255.255.255.0 ip verify reverse-path interface outside ip audit info action alarm ip audit attack action alarm ip local pool pool 192.168.50.1-192.168.50.254 pdm location 192.168.0.0 255.255.255.0 outside pdm location 192.168.50.0 255.255.255.0 outside pdm location Athlon 255.255.255.255 inside pdm location 12.xxx.xxx.xxx 255.255.255.255 outside pdm location 12.xxx.xxx.xxx 255.255.255.255 outside pdm location 10.1.0.0 255.255.0.0 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 102 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group 100 in interface outside route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1 timeout xlate 1:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication http console LOCAL aaa authentication ssh console LOCAL no ntp authenticate http server enable http 12.xxx.xxx.xxx 255.255.255.255 outside http 192.168.1.0 255.255.255.0 inside http Athlon 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps tftp-server inside Athlon / floodguard enable sysopt connection permit-ipsec sysopt noproxyarp outside sysopt noproxyarp inside crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto dynamic-map map2 20 set pfs group2 crypto dynamic-map map2 20 set transform-set ESP-AES-256-SHA crypto map map1 10 ipsec-isakmp crypto map map1 10 match address PROTECT crypto map map1 10 set pfs group2 crypto map map1 10 set peer xxx.xxx.xxx.xxx crypto map map1 10 set transform-set ESP-AES-256-SHA crypto map map1 20 ipsec-isakmp dynamic map2 crypto map map1 client authentication LOCAL crypto map map1 interface outside isakmp enable outside isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp keepalive 20 10 isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 28800 isakmp policy 11 authentication rsa-sig isakmp policy 11 encryption des isakmp policy 11 hash sha isakmp policy 11 group 1 isakmp policy 11 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption aes-256 isakmp policy 20 hash sha isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup vpn address-pool pool vpngroup vpn split-tunnel 102 vpngroup vpn pfs vpngroup vpn idle-time 1800 vpngroup vpn password ******** telnet Athlon 255.255.255.255 inside telnet timeout 15 ssh timeout 10 management-access inside console timeout 30 dhcpd address 192.168.1.100-192.168.1.254 inside dhcpd dns 4.2.2.2 4.2.2.3 dhcpd lease 21600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside username xxx password ZKvuR/E4cb5TutkE encrypted privilege 15 terminal width 80 banner exec Enter your password carefully banner login Enter your password to log in banner motd Authorized Access only banner motd This system is the property of xxx. banner motd UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. banner motd You must have explicit permission to access this banner motd device. All activities performed on this device banner motd are logged. Any violations of access policy will result banner motd in disciplinary action. Cryptochecksum:af631c39892e74a279f043d0da360e82 : endAny ideas would be appreciated.