|
Home | Reviews | Speed Test | Tools | News | Forums | Info | About | Join |
Suggested prerequisite reading: »Cisco Forum FAQ »Things to expect when setup network for home or small business For many cable and DSL internet connections, the ISPs inform their customers (subscribers) to set their router to receive IP address from them automatically with username and password. This means that the ISPs treat their subscriber's router as PPP client. When this is your case, then the following sample configuration is a good starting point to help you configure the firewall. Typical network environment that might utilize following sample PIX/ASA configuration is as follows * There is a modem in front of the PIX/ASA, which the modem connects to the ISP * ISP is providing Public IP address to the PIX/ASA via PPPoE * There is NAT/PAT in place on the PIX/ASA to translate internal IP addresses to the ISP-provided Public IP address * The PIX/ASA is also acting as DHCP server to local LAN, which provide dynamic IP info for hosts behind the PIX/ASA within the LAN This sample PIX/ASA configuration assumes the followings * Internal private IP subnet (for hosts behind the PIX/ASA): 10.0.0.0/24 * All of the hosts' gateway would be the PIX/ASA inside interface IP address: 10.0.0.1 * The IP address range of 10.0.0.30-10.0.0.254 would be available for DHCP pool client * The IP address range of 10.0.0.2-10.0.0.29 would be reserved for statically-assigned hosts, consequently * The DHCP clients would also receive DNS IP addresses of 68.87.64.196 and 68.87.66.196 automatically as part of the dynamically assigned IP address process * When all hosts behind the PIX/ASA go out to the Internet, the hosts would be using the PIX/ASA outside interface IP address (which is the ISP-assigned Public IP address) * Necessary ICMP packet coming from the Internet would be permitted to enter your LAN SAMPLE CONFIGURATION 1. PIX OS Version 6.3 2. PIX/ASA OS version 7.x to 8.2 OS Version 8.3 or later MTU Setting Notes: * Typical Ethernet connection uses 1500 bytes MTU * PPPoE uses a 8 bytes overhead MTU, therefore there is only a 1492 bytes MTU left for data * PPPoE process takes place on the outside interface where the PIX/ASA is connecting to the ISP * There is just regular Ethernet connection on the inside interface where the PIX/ASA is connecting to the inside LAN * The 1492 bytes MTU should only take place on the outside interface and keep 1500 bytes MTU on the inside interface Field Notices: * PIX 501 firewall running version 6.3 refuses to accept the "ip address ... pppoe" command if the outside interface has been named anything other than "outside" (i.e. named as "ext"). In order to execute this command, you need to rename the interface name to "outside" (with the "nameif" command), and then issue the "ip address outside pppoe" command got feedback? by aryoba |