Sean,
I stand self-corrected, in private mail I told you AFAIK it wasn't possible.
However, after I did a quick search at www.cisco.com for "515 DHCP PAT" this
information was contained in the first hit. HTH, let me know if it works.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/config/com
mands.htm (Watch Wrap)
The following partial configuration example shows how to use three new
features that are associated with each other: DHCP server, DHCP client, and
PAT using interface IP to configure a PIX Firewall in a small office, home
office (SOHO) environment:
! use dhcp to configure the outside interface and default route
ip address outside dhcp setroute
! enable dhcp server daemon on the inside interface
ip address inside 10.0.1.2 255.255.255.0
dhcpd address 10.0.1.101-10.0.1.110
dhcpd dns 209.165.201.2 209.165.202.129
dhcpd wins 209.165.201.5
dhcpd lease 3000
dhcpd domain example.com
dhcpd enable
! use outside interface IP as PAT global address
nat (inside) 1 0 0
global (outside) 1 interface
The following is sample output for the show dhcpd command:
show dhcpd
dhcpd address 10.0.1.100-10.0.1.108 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd dns 192.23.21.23
dhcpd enable inside
The following is sample output for the show dhcpd binding command:
show dhcpd binding
IP Address Hardware Address Lease Expiration Type
10.0.1.100 0100.a0c9.868e.43 84985 seconds automatic
The following is sample output for the show dhcpd statistics command:
show dhcpd statistics
Address Pools 1
Automatic Bindings 1
Expired Bindings 1
Malformed messages 0
Message Received
BOOTREQUEST 0
DHCPDISCOVER 1
DHCPREQUEST 2
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 0
Message Sent
BOOTREPLY 0
DHCPOFFER 1
DHCPACK 1
DHCPNAK 1
Ken Claussen MCSE CCNA CCA
[EMAIL PROTECTED]
"The Mind is a Terrible thing to Waste!"
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Sean Lewis
Sent: Wednesday, June 06, 2001 1:24 AM
To: [EMAIL PROTECTED]
Subject: PIX 515 + broadband - what am I missing?
hi all,
I've been researching this problem for several days now, and have come
up totally short in terms of finding a solution. Here's the scenario: I
have a PIX 515 with an internal network range of 192.168.0.0/24 behind
it and a single external IP I obtain via DHCP [cable]. I have the PIX
configured as 192.168.0.1 and I have it using DHCP to obtain an IP for
the external address. Here is the routing table:
outside 0.0.0.0 0.0.0.0 204.210.27.1 1 OTHER static
inside 192.168.0.0 255.255.255.0 192.168.0.1 1 CONNECT static
outside 204.210.27.0 255.255.255.0 204.210.27.13 1 CONNECT static
Now here's the problem: I can ping the other 192.168.0.0/24 machines
from the PIX, and I can ping outside IPs from the PIX. However, I cannot
get the traffic to route from the internal network through the PIX using
PAT. Yes, I know the PIX is not designed to be a router, but I only
require it to perform a simple routing task with regard to PAT.
Here's a part of the configuration I don't totally understand: When
setting up a global rule, if the single external IP I have is configured
as the outside interface, it will return:
Start and end addresses overlap with outside interface address
[command: global (outside) 1 outside.ip]
my NAT table reads:
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
Yes, I have tried changing this to allow NAT from everywhere [0 in field
where 192.168.0.0 is]
so I figured a way around this, although it doesn't work: bring the
external interface down, then issue the global command, then bring it
back up. This doesn't present a problem to the PIX in terms of an error
msg when I'm configuring it, but the traffic still fails to route. My
question is: What is the proper way to do this? All I need is a PAT
setup "many to one" type translation for this internal network. I will
attach a 'show config' for diagnostic purposes. Any insight would be
greatly appreciated - And I have been through the documentation
available on Cisco's site quite a few times, and while it's rather
informative I was unable to solve this problem with it. If anyone would
like more information from the device I would be glad to e-mail it to
you off-list or whatever. Thanks.
--BEGIN 'show config'--
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password blahblbahblah encrypted
passwd blahblah encrypted
hostname pix
domain-name mydomain.net
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
ip address outside dhcp
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm history enable
arp timeout 14400
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 204.210.27.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
telnet timeout 5
ssh timeout 5
terminal width 80
--END 'show config'--
--BEGIN 'show version'--
Compiled on Thu 17-May-01 20:05 by morlee
Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB
0: ethernet0: address is 0050.54ff.2403, irq 10
1: ethernet1: address is 0050.54ff.2404, irq 7
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES: Disabled
Maximum Interfaces: 6
Cut-through Proxy: Enabled
Guards: Enabled
Websense: Enabled
Throughput: Unlimited
ISAKMP peers: Unlimited
--END 'show version'--
Thanking you in advance,
Sean Lewis
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
