How to configure Linksys Router & PIX 501 for home broadband network

Tags:
Cabling
Cisco
Hardware
Hubs
Networking
Routers
Switches
Hi networking gurus, I have a Linksys AG241 - ADSL2 Gateway with 4-Port Switch at home connected to my ADSL provider using PPPoA. This all works fine. I have recently purchased a Cisco PIX 501 firewall. I have connected the PIX to the Linksys router, but I can?t get traffic flowing properly. The Linksys router is configured with a single IP from the ADSL provider on it?s public side, and it?s configured to assign addresses in the 192.168.250.0/24 range on it?s private side. The PIX is configured with an address of 192.168.250.2/24 on it?s outside (0) interface and an IP of 192.168.8.2/24 on it?s inside (1) interface. Both devices are running the latest code, the PIX having v6.3.5 and PDM 3.0.4 Please can you help me get this configured so that I can protect my home network using the PIX. Thanks, Greg

Answer Wiki

Thanks. We'll let you know when a new response is added.

The first thing that i would ask is if you are using the Linksyhs for any particular purpose.

My suggestion is as follows:
remove the linksys router and place the PIX after your DSL router and configure the PIX to handle the IP and DHCP in your network, the PIX comes with a 4-port switch as well. you do not need the linksys router.

Discuss This Question: 12  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • JoakimL
    Have you tried to find out where the traffic is broken? Try some trace route commands from a PC connected to the private side of the PIX: TRACERT -d 192.168.250.2 - this will verify if you have contact with the public side of the PIX TRACERT -d 192.168.250.n (presumably .1, the IP adress of the LinkSys) - this will verify if you have contact with the private side of the LinkSys TRACERT -d n.n.n.n (the IP adress of the interface connected to your ADSL) - this will verify if you have contact with the outside interface of the LinkSys /Joakim Capgemini Sweden
    0 pointsBadges:
    report
  • DrillO
    I would agree with the first response.....dump the Lynksys. You are trying to do the same thing with both devices. The PIX will do so much more that the Lynsys anyway as it is the stronger of the two. Good luck Paul
    15 pointsBadges:
    report
  • GregNottage
    Thanks guys ;-) I will try the TRACERT's when I get home. delebute2004: The Linksys router is how I connect to the internet. It serves as my ADSL modem, as well as my access router. I have no other way of getting a connection from my ISP without the Linksys router. Unfortunately, the PIX doesn't support PPPoA, otherwise I could just use that instead. Thanks, Greg.
    0 pointsBadges:
    report
  • Delebute2004
    one thing Greg is that you are double nat'ing your network; what is your default route on your PIX? the tracrt will show where it is failing and give you more info, but my earlier suggestion is to remove the linksys altogether unless you have a specific use for it. David
    0 pointsBadges:
    report
  • Delebute2004
    o.k. gotcha Greg; well the first thing is to look at your configuration. yoiu should be using a static IP for 250.X side of the PIX, the default gateway route should be the Linksys ip 250.1 right? then you will need an access-list to enable your traffic to flow. if you send us the running config i can review and send you my recommendations. David
    0 pointsBadges:
    report
  • GregNottage
    Cool, thanks for all the help and advice ;-) I'll need to spin off a copy of the running config tonight when I get home. I'll post it up later on. Thanks again guys ;-) Kind Regards, Greg.
    0 pointsBadges:
    report
  • OTPAYNE
    I agree with all the replies so far, and would add that you need to bear in mind that by default pix rule is deny all so you would need to ensure that your rules allow traffic to your internal network.
    0 pointsBadges:
    report
  • Tracybs
    Greg; One thing I haven?t seen mentioned yet is routing. If you are not NAT?ing on the PIX then the LinkSys will have to have a route to your internal network (192.168.8.0/24). If you are NAT?ing then the outbound traffic source IP will be the NAT address which is on the connected network so no need for routing to the inside (you?ll still need a default outbound route on the PIX pointing to the LinkSys.) Did you assign the PIX outside interface IP or did you let the LinkSys hand it out via DHCP? If you let the LinkSys assign it via DHCP then the PIX should have picked up a default route that way. By default the PIX will allow outbound traffic and I think the default configuration does NAT using the outside interface and I think the 501?s default is to use DHCP on the outside interface so? thinking about this? it should have been almost plug-and-play.
    0 pointsBadges:
    report
  • GregNottage
    Hi Guys, Thanks for all the advice. I managed to get it working by taking the following steps. 1. On the Linksys router set a static route for the 192.168.8.0/24 network to the outside interface of the PIX (in my case that was 192.168.250.2). 2. Allow NAT'ing on the Linksys router. 3. Set the Linksys to expose 192.168.250.2 as a DMZ 4. Run through the PDM setup wizard on the PIX and fix the outside ip to 192.168.250.2 and the inside ip to 192.168.8.1 5. Setup a static NAT for the workstations behind the PIX. For some reason, if I do not do this I can't see the Internet from the workstations? I assume this is something to do with double NAT'ing? The above setup works fine, and I've even managed to get the VPN working, so I can connect to my home network from work using the Cisco VPN client on my laptop. However, one thing I cannot get working is the AnthaVPN client on my Pocket PC. I can get this client to connect to our VPN 3000 series concentrator at work, but it doesn't work connecting to my PIX 501 at home?! I think it may have something to do with the AnthaVPN client requiring XAUTH on my home network, which if I understand correctly basically means I need to setup some kind of RADIUS box to authenticate with. However, the original reason for starting this thread is now resolved, so thanks to all of you who posted ;-) Kind Regards, Greg.
    0 pointsBadges:
    report
  • Mortree
    Well the Linksys NATing is not a great situation. I suspect it works with DMZ because you basically are causing some equivalent to port forwarding on the Linksys to & from 192.168.250.2 the external PIX interface. So my guess is that the Linksys wasn't set to bridge mode properly (if it supports that) nor (alternative configuration) were all the ports (protocols) forwarded or routed to the PIX when NATing was off (poor man's attempt at faking bridge like route). That is the Linksys was busting your connections. One way to test that is of course to hook a sacrificial box -well patched XP OR Linux CD only client like Knoppix directly to the Linksys in non-NAT mode.
    0 pointsBadges:
    report
  • GregNottage
    Well, I actually have a Cisco 827 series broadband router that I haven't configured yet. I'm fully intending on replacing the Linksys with this Cisco router, but I wanted to secure things with the PIX first. Any thoughts or suggestions on how to configure the Cisco 827 series router to replace my Linksys router? Thanks, Greg.
    0 pointsBadges:
    report
  • Astronomer
    Greg: Start with this link: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_fix/827/ rt
    15 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following