RE: Cisco PiX 501 running 6.2 - Defying me for no reason

["Crissup, John (MBNP is)" <John.Crissup () us millwardbrown com>]

  Try...

   global (outside) 1 interface

  This should tell it to use the IP Address currently assigned to the
outside interface.

 

-----Original Message-----
From: Kyle King [mailto:KKing () Bankshill com] 
Sent: Friday, March 12, 2004 7:02 PM
To: FW Wizards
Subject: [fw-wiz] Cisco PiX 501 running 6.2 - Defying me for no reason

Hello all again,

Well, after researching, configuring, reconfiguring, and just a bit
sweating, the company has finally agreed with me on not trying to connect
the vpn client through the SecureWay firewall.  We bought ourselves a Cisco
PiX 501 with the understanding that it can act as the vpn client when
connecting to a concentrator.  We got it yesterday around 10 am.  12 man
hours later, I am still trying to make it go.

The PiX is outside the firewall, on its own line/lines (explained in a
second).  When it is configured to use DHCP to get its outside line, and not
configured for anything else, the PCs behind it (the 3 that will connect to
the vpn eventually) can access the internet fine.  However, when I turn on
the easy vpn client option, with the correct information (I have checked it
many times) the internet dies.  We also cannot connect to anything on the
other end of the tunnel.  In the past, when the PCs were outside the
firewall, without the Cisco PiX between them, when the vpn client was
enabled, the internet would still work for them.  But besides all this, I
also have another problem; our computers that access the outside line (which
is now the PiX with the computers behind it) must use the last static IP
address we own, not DHCP.

When I configure one of the computers with the appropriate information for a
static IP, the computer connects to the internet fine (this is when not
connected with the PiX between it).  However, it requires that I supply the
DNS servers.  When I configure the PiX to access the internet using a static
IP, no where do I find the command/option to input the DNS servers; and
besides that, when I use static IP, the computers behind the firewall cannot
access the internet.

I have read and did as the manual describes 5 times in the last 2 days.
However, the manual seems to always assume that the PiX will connect to a
router before accessing the internet, so all the configuration setups it
supplies assumes I can use either many outside IPs, or other effects to that
nature.  For example:  It says to assign the NAT/PAT in this way -
   global (outside) 1 x.x.x.201-x.x.x.211
   global (outside) 1 x.x.x.212
This supposidly makes the NAT address's all run on the 201-211 address's,
and the PAT on the 212 address.  However, since the PiX is accessing only
the static address, I only have access to the one address.  I have tried
setting the command "global (outside) 1 x.x.x.x" where x.x.x.x is the static
IP I have, but it gives me an error saying something like, you cannot use
this command because the that address is already assigned.  Also I know
about the option during the startup wizard to have NAT/PAT just go through
the outside address, but that seems to not help.

Anyway, I would appreciate any help you guys can offer.  All I can say is, I
feel like a real leach so far on here....  I havn't contributed yet.... but
I will.

Kyle King
Banks-Hill Systems Ltd.
email: KKing () bankshill com
Phone: (780) 488 6100 ext. 242
Fax: (780) 488 4550
www.bankshill.com


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

==================================================== 
This email is confidential and intended solely for the use of the 
individual or organisation to whom it is addressed. Any opinions or 
advice presented are solely those of the author and do not necessarily 
represent those of the Millward Brown Group of Companies.  If you are 
not the intended recipient of this email, you should not copy, modify, 
distribute or take any action in reliance on it. If you have received 
this email in error please notify the sender and delete this email 
from your system. Although this email has been checked for viruses 
 and other defects, no responsibility can be accepted for any loss or 
damage arising from its receipt or use. 
==================================================== 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards