Firewall Wizards mailing list archives
RE: Cisco PiX 501 running 6.2 - Defying me for no reason
From: "Steven A. Fletcher" <sfletcher () integrityts com>
Date: Mon, 15 Mar 2004 16:44:55 -0600
Can you send the configuration for your PIX? I think that would be more helpful in determining the problem. Of course, I would change all external addresses, just to be safe. Also, do you have a Smartnet contract on your PIX? If so, you might want to try upgrading to a newer OS. The latest version (6.33) seems pretty stable and has fixed numerous problems. Steve Fletcher Senior Network Engineer, MCSE, Master ASE, CCNA Integrity Technology Solutions Phone: (309)664-8129 Toll Free: (888) 764-8100 ext. 129 Fax: (309) 662-6421 sfletcher () integrityts com -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Kyle King Sent: Friday, March 12, 2004 7:02 PM To: FW Wizards Subject: [fw-wiz] Cisco PiX 501 running 6.2 - Defying me for no reason Hello all again, Well, after researching, configuring, reconfiguring, and just a bit sweating, the company has finally agreed with me on not trying to connect the vpn client through the SecureWay firewall. We bought ourselves a Cisco PiX 501 with the understanding that it can act as the vpn client when connecting to a concentrator. We got it yesterday around 10 am. 12 man hours later, I am still trying to make it go. The PiX is outside the firewall, on its own line/lines (explained in a second). When it is configured to use DHCP to get its outside line, and not configured for anything else, the PCs behind it (the 3 that will connect to the vpn eventually) can access the internet fine. However, when I turn on the easy vpn client option, with the correct information (I have checked it many times) the internet dies. We also cannot connect to anything on the other end of the tunnel. In the past, when the PCs were outside the firewall, without the Cisco PiX between them, when the vpn client was enabled, the internet would still work for them. But besides all this, I also have another problem; our computers that access the outside line (which is now the PiX with the computers behind it) must use the last static IP address we own, not DHCP. When I configure one of the computers with the appropriate information for a static IP, the computer connects to the internet fine (this is when not connected with the PiX between it). However, it requires that I supply the DNS servers. When I configure the PiX to access the internet using a static IP, no where do I find the command/option to input the DNS servers; and besides that, when I use static IP, the computers behind the firewall cannot access the internet. I have read and did as the manual describes 5 times in the last 2 days. However, the manual seems to always assume that the PiX will connect to a router before accessing the internet, so all the configuration setups it supplies assumes I can use either many outside IPs, or other effects to that nature. For example: It says to assign the NAT/PAT in this way - global (outside) 1 x.x.x.201-x.x.x.211 global (outside) 1 x.x.x.212 This supposidly makes the NAT address's all run on the 201-211 address's, and the PAT on the 212 address. However, since the PiX is accessing only the static address, I only have access to the one address. I have tried setting the command "global (outside) 1 x.x.x.x" where x.x.x.x is the static IP I have, but it gives me an error saying something like, you cannot use this command because the that address is already assigned. Also I know about the option during the startup wizard to have NAT/PAT just go through the outside address, but that seems to not help. Anyway, I would appreciate any help you guys can offer. All I can say is, I feel like a real leach so far on here.... I havn't contributed yet.... but I will. Kyle King Banks-Hill Systems Ltd. email: KKing () bankshill com Phone: (780) 488 6100 ext. 242 Fax: (780) 488 4550 www.bankshill.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco PiX 501 running 6.2 - Defying me for no reason Kyle King (Mar 15)
- <Possible follow-ups>
- RE: Cisco PiX 501 running 6.2 - Defying me for no reason Crissup, John (MBNP is) (Mar 18)
- RE: Cisco PiX 501 running 6.2 - Defying me for no reason Steven A. Fletcher (Mar 18)
- Re: Cisco PiX 501 running 6.2 - Defying me for no reason Kyle King (Mar 18)
- RE: Cisco PiX 501 running 6.2 - Defying me for no reason Josh Welch (Mar 18)
- Re: Cisco PiX 501 running 6.2 - Defying me for no reason Kyle King (Mar 19)
- Re: Cisco PiX 501 running 6.2 - Defying me for no reason Kyle King (Mar 18)
- RE: Cisco PiX 501 running 6.2 - Defying me for no reason Steven A. Fletcher (Mar 18)