[fw-wiz] Cisco PiX 501 running 6.2 - Defying me for no reason

From: Kyle King (KKing_at_Bankshill.com)
Date: 03/13/04

  • Next message: ArkanoiD: "Re: [fw-wiz] Evolution of Firewalls" 
    To: "FW Wizards" <firewall-wizards@honor.icsalabs.com>
Date: Fri, 12 Mar 2004 17:02:00 -0800

    Hello all again,

    Well, after researching, configuring, reconfiguring, and just a bit
    sweating, the company has finally agreed with me on not trying to connect
    the vpn client through the SecureWay firewall. We bought ourselves a Cisco
    PiX 501 with the understanding that it can act as the vpn client when
    connecting to a concentrator. We got it yesterday around 10 am. 12 man
    hours later, I am still trying to make it go.

    The PiX is outside the firewall, on its own line/lines (explained in a
    second). When it is configured to use DHCP to get its outside line, and not
    configured for anything else, the PCs behind it (the 3 that will connect to
    the vpn eventually) can access the internet fine. However, when I turn on
    the easy vpn client option, with the correct information (I have checked it
    many times) the internet dies. We also cannot connect to anything on the
    other end of the tunnel. In the past, when the PCs were outside the
    firewall, without the Cisco PiX between them, when the vpn client was
    enabled, the internet would still work for them. But besides all this, I
    also have another problem; our computers that access the outside line (which
    is now the PiX with the computers behind it) must use the last static IP
    address we own, not DHCP.

    When I configure one of the computers with the appropriate information for a
    static IP, the computer connects to the internet fine (this is when not
    connected with the PiX between it). However, it requires that I supply the
    DNS servers. When I configure the PiX to access the internet using a static
    IP, no where do I find the command/option to input the DNS servers; and
    besides that, when I use static IP, the computers behind the firewall cannot
    access the internet.

    I have read and did as the manual describes 5 times in the last 2 days.
    However, the manual seems to always assume that the PiX will connect to a
    router before accessing the internet, so all the configuration setups it
    supplies assumes I can use either many outside IPs, or other effects to that
    nature. For example: It says to assign the NAT/PAT in this way -
       global (outside) 1 x.x.x.201-x.x.x.211
       global (outside) 1 x.x.x.212
    This supposidly makes the NAT address's all run on the 201-211 address's,
    and the PAT on the 212 address. However, since the PiX is accessing only
    the static address, I only have access to the one address. I have tried
    setting the command "global (outside) 1 x.x.x.x" where x.x.x.x is the static
    IP I have, but it gives me an error saying something like, you cannot use
    this command because the that address is already assigned. Also I know
    about the option during the startup wizard to have NAT/PAT just go through
    the outside address, but that seems to not help.

    Anyway, I would appreciate any help you guys can offer. All I can say is, I
    feel like a real leach so far on here.... I havn't contributed yet.... but
    I will.

    Kyle King
    Banks-Hill Systems Ltd.
    email: KKing@bankshill.com
    Phone: (780) 488 6100 ext. 242
    Fax: (780) 488 4550
    www.bankshill.com

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: ArkanoiD: "Re: [fw-wiz] Evolution of Firewalls"

    Relevant Pages