RE: [fw-wiz] Cisco PiX 501 running 6.2 - Defying me for no reason
From: Steven A. Fletcher (sfletcher_at_integrityts.com)
To: "Kyle King" <KKing@Bankshill.com>, "FW Wizards" <firstname.lastname@example.org> Date: Mon, 15 Mar 2004 16:44:55 -0600
Can you send the configuration for your PIX? I think that would be more
helpful in determining the problem. Of course, I would change all
external addresses, just to be safe.
Also, do you have a Smartnet contract on your PIX? If so, you might
want to try upgrading to a newer OS. The latest version (6.33) seems
pretty stable and has fixed numerous problems.
Senior Network Engineer, MCSE, Master ASE, CCNA
Integrity Technology Solutions
Toll Free: (888) 764-8100 ext. 129
Fax: (309) 662-6421
[mailto:email@example.com] On Behalf Of Kyle
Sent: Friday, March 12, 2004 7:02 PM
To: FW Wizards
Subject: [fw-wiz] Cisco PiX 501 running 6.2 - Defying me for no reason
Hello all again,
Well, after researching, configuring, reconfiguring, and just a bit
sweating, the company has finally agreed with me on not trying to
the vpn client through the SecureWay firewall. We bought ourselves a
PiX 501 with the understanding that it can act as the vpn client when
connecting to a concentrator. We got it yesterday around 10 am. 12 man
hours later, I am still trying to make it go.
The PiX is outside the firewall, on its own line/lines (explained in a
second). When it is configured to use DHCP to get its outside line, and
configured for anything else, the PCs behind it (the 3 that will connect
the vpn eventually) can access the internet fine. However, when I turn
the easy vpn client option, with the correct information (I have checked
many times) the internet dies. We also cannot connect to anything on
other end of the tunnel. In the past, when the PCs were outside the
firewall, without the Cisco PiX between them, when the vpn client was
enabled, the internet would still work for them. But besides all this,
also have another problem; our computers that access the outside line
is now the PiX with the computers behind it) must use the last static IP
address we own, not DHCP.
When I configure one of the computers with the appropriate information
static IP, the computer connects to the internet fine (this is when not
connected with the PiX between it). However, it requires that I supply
DNS servers. When I configure the PiX to access the internet using a
IP, no where do I find the command/option to input the DNS servers; and
besides that, when I use static IP, the computers behind the firewall
access the internet.
I have read and did as the manual describes 5 times in the last 2 days.
However, the manual seems to always assume that the PiX will connect to
router before accessing the internet, so all the configuration setups it
supplies assumes I can use either many outside IPs, or other effects to
nature. For example: It says to assign the NAT/PAT in this way -
global (outside) 1 x.x.x.201-x.x.x.211
global (outside) 1 x.x.x.212
This supposidly makes the NAT address's all run on the 201-211
and the PAT on the 212 address. However, since the PiX is accessing
the static address, I only have access to the one address. I have tried
setting the command "global (outside) 1 x.x.x.x" where x.x.x.x is the
IP I have, but it gives me an error saying something like, you cannot
this command because the that address is already assigned. Also I know
about the option during the startup wizard to have NAT/PAT just go
the outside address, but that seems to not help.
Anyway, I would appreciate any help you guys can offer. All I can say
feel like a real leach so far on here.... I havn't contributed yet....
Banks-Hill Systems Ltd.
Phone: (780) 488 6100 ext. 242
Fax: (780) 488 4550
firewall-wizards mailing list
firewall-wizards mailing list