cancel
Showing results for 
Search instead for 
Did you mean: 

Cisco PIX to ADSL

N/A

Cisco PIX to ADSL

I would like to connect a Cisco PIX firewall to into my ADSL. A Cisco PIX only has Ethernet for the outside (not the RJ11 DSL interface) and doesn't support PPPoA so a router (for the PPPoA authentication and DSL-Ethernet) will be required.

The query I have is how do I get the Internet registered IP address onto the PIX outside interface (This needs to be on the outside of the PIX to build a VPN tunnel from (so NAT on the router is not an option)).

I have been looking through my DLINK and see it has a setting to change it to a bridge, maybe this is what I need to do, but will this disable the PPPoA?
14 REPLIES
Mark_Dowd
Grafter
Posts: 102
Registered: 08-08-2007

Cisco PIX to ADSL

Which model of ADSL Router do you have?

I am in the process of doing this with a Solwise SAR110, but can't start until Saturday. In brief, if you have one permanent IP address assigned by +Net you will be using ZIPB (Zero IP Bridge) which, amongst other things, should handle DHCP and ARP requests between your router/firewall and +Net.

I will respond against this topic when I have figured it out.
N/A

Cisco PIX to ADSL

I'm using a D-Link 504. Did you have any joy setting up your router this weekend?
N/A

Cisco PIX to ADSL

TO run the firewall correctly your PIX must have 2 Ethernet ports to create a barrier between you and the Internet.

You should connect like this.

ADSL ---> DLink -504 ------> (Ethernet 0) PIX (Ethernet 1) ------>PC

Once you do this you should be able to configure your PIX to work.

[edited]
I have now re-read your message properly!

I will double check to see if a PIX can negotiate an address via DHCP (Just the same as if your PC was plugged into the Dlink-504). If so you would set Eth0 to IP ADDRESS NEGOTIATION or DHCP (depends on PIXos) and it should pick up your legal Internet address.

You then set eth1 to be a non-internet address range (192.168.x.x etc.) and then do NAT between eth1 and eth0. Your PC would have an IP address from the range you choose for eth1 on the PIX.

[edited again!]
Straight from the Cisco website!

Configuring the DHCP Client
To enable the DHCP client feature on a given PIX Firewall interface and set the default route via the DHCP server, enter the following command:

ip address outside dhcp [setroute] [retry retry_cnt]


The ip address dhcp command enables the DHCP client feature on the outside PIX Firewall interface. The optional setroute argument tells the PIX Firewall to set the default route using the default gateway parameter the DHCP server returns. If the setroute argument is configured, the show route command displays the default route set by the DHCP server.


--------------------------------------------------------------------------------
Note Do not configure the PIX Firewall with a default route when using the setroute argument of the ip address dhcp command.
N/A

Cisco PIX to ADSL

Thanks for the information - I know how to get the PIX to run as a DHCP client because I already has this set-up and connected to my cable modem. All I really wanted to find out is how to get the device thats connected to the ADSL router/modem (ie my PIX) to get the Internet router IP address rather than the adsl router it's self. (Maybe the no nat option)

Also because a PIX doesn't support PPPoA will the router still be able to perform its authentication but the PIX firewall get the DHCP'ed IP address.

My ADSL connection will be activated over the next few days so I will test this myself.
N/A

more info

I'm not quite sure what your trying to achieve?!

I don't know your technical level so sorry if I am sounding condescending.

The PIX outside interface should pick up the same address your PC would pick up if it were plugged directly into the dlink-504. Just think of the PIX as your PC for the purposes of obtaining an IP address.

The dlink modem should obtain 2 IP address from your ISP. One for the actual WAN Link itself (or the DSL port) and a 2nd for your connected device (usually a PC). The PIX should pick up the 2nd ip address.

If you go for the static IP option then the PIX should always pick up this static IP address. Dont set the static IP address in the PIX as this can cause unpredictable results.

Hope this answers your question.

Chris
N/A

Cisco PIX to ADSL

I’m under the impression that the Dlink router will pick up an DHCP’ed IP address from +Net on the WAN interface and because it’s a router it needs an address on the inside (which will be private IP, thus in the 10.x.x.x, 172.16.x.x or 192.168.x.x). If it were a modem then I could understand the DHCP’ed IP address being passed through to the PIX.
Plugging in the PIX into the inside Ethernet interface of the Dlink will result in the PIX getting a private IP address and therefore I will not be able to build VPN tunnels from the PIX. (The PIX needs an Internet registered IP address on the outside, a Private IP address will need to be NAT’ed).

I haven’t got my DSL connection yet but will see hopefully test it this weekend.

Can anybody confirm that if I was to plug a PC into the DSL router (with no NAT enabled) it would get an Internet registered IP address? (I.e not in the 10.x.x.x, 172.16.x.x or 192.168.x.x ranges) And if so what gateway would the PC use because the inside interface on the router wouldn’t have an IP address for it to point to?
N/A

pix to adsl connection

I am not sure that what you are trying to do is possible if you only have the one IP address. I got my connection last week and am trying to do the same thing with a PIX and the SAR110 router. I have done it many times before for clients with a Cisco 827 and 837. In those cases the client has been assigned a block of IP addresses usually 8 from either BT or Deamon I then configure the ethernet port with one of those public IP.s and configure the ADSL port with IP unnumbered I can then simply provide the PIX outside interface with one of the Public IP's from the block allocated.
With the SAR 110 however if you follow Plus net documentation for using a block of IP addresses in what they call "NONAT" you still end up configuring your router for NAT but instead of having a dynamic NAT you will have a STATIC NAT. I went through the SAR 110 documentation and on page 41 of the 110refguide.pdf it states to use the IP unnumbered method with the command
"create ppp intf ifname ppp-0 ppoa lowif aal5-0 numif eth-0 droute true"
which by the way does not work because my router with software version 1.38 does not support the "numif" command

But I think in your case with the D-Link router you will need to look at IP un-numbered commads and if you dont have ablock of IP's try to get some.
Cheers Mal
N/A

Cisco PIX to ADSL

The only way to be sure is to plug the dlink-504 into your PC, without the PIX, and see what IP address your PC get's from DHCP.

It will be this IP address that the PIX will pick up when it is connected.

If the dlink-504 is providing a non-internet address (and hence NAT) then although it is not pretty you can do NAT twice and in fact it would be even more secure than 1 layer of NAT!

Chris
N/A

Cisco PIX to ADSL

I have set up a PIX before performing a double NAT before but the reason I need the internet IP address on the outside of the PIX is to build a VPN tunnel from. The PIX uses the IP address of the outside interface as the source address for the VPN tunnel, if this was a private IP (which it would be if I performed NAT twice) I'm not sure whether the tunnel will connect.
N/A

Cisco PIX to ADSL

Are you still haviong troubles? Got my PIX router combo working last night with an update of firmware on the router
N/A

Cisco PIX to ADSL

Hi,

I'm still waiting for my line to be activated. So do you have the DHCP'ed ip address on the outside of your PIX? Where did you configure the PPPoA?

If I have any proplems at least someone might be able to help me!

Thanks,

Chris
N/A

Cisco PIX to ADSL

The PPPoA is done by the dlink-504 and the PIX is set to DHCP on the outside interface to pick up an address from the dlink.

You then setup NAT between the inside and outside interfaces on the PIX.
N/A

Cisco PIX to ADSL

Hi Chris,

I'm assuming you only have a single public ip address.

The following info is direct from Dlink regarding the DSL504

Quote
Cisco, SafeNet, and Sonic Wall
These VPNs do not require ports to be opened to work through a router. Enable Nat Transparency (Traversal) on the client VPN software.

If any of these are using IPSec (AH), it will not and cannot work through NAT.

IPSec using ESP will work. All D-Link routers have PPTP and IPSec passthrough.

This would suggest that the PIX could initiate the connection to the remote site if you use ESP not AH.

Alternatively, on the NAT Page in the Dlink try setting the DMZ IP to the private ip on the PIX as this should map the external IP through to the PIX. This should provide a global forward to the IP address you specify.

The only other options I can think of would be:
1) To replace the D-Link with a router which support DHCP Spoofing / PPP Half Bridge / ZipB all of which are different ways of saying it'll assign the public router IP to an Internal device.
Or
2) Get a block of public IP's and disable NAT on the router. You could get away with a 4 IP block, which will give you 2 to assign. One for the Dlink, the other for the PIX, then just use the PIX as the gateway.
N/A

Cisco PIX to ADSL

Thanks for the information nellybase. I have manageged to get ZipB working now so the publice IP address is on the outside of the PIX and the VPN is working fine.