Bridging a Cisco router with a PIX 1

[JUDGExKTF]

Hi everyone,

I was hoping you guys would be kind enough to help me out with a little dilema I am having. I used to have a PIX wich was connected to an internetline without a modem. Perfect in my opinion since a PIX is a border device.

So this was the situation:

Internet
|
PIX-----DMZ
|
Inside

Due to some events (poor service provided by the internet provider of the building) we had to switch to an dfferent internet provider. The internet provider gave us a cisco router with SDSL modem.

The setup would become something like this. I really like to keep the pix for natting and vpn, since i havent had any problems with it and it does it job well (and in my opinion this is what a PIX should be used for. Let the PIX do the natting and the VPN, and the router the routing).

Internet
|
|
Router
|
|
PIX-----DMZ
|
|
Inside

The easiest way to achieve this would be to create a double nat (PIX nat and Router nat), but in my opinion this would also be the ugliest way. What i really want is the PIX to have the IP of the outside interface of the router (a layer 2 bridge). So the router does the dialing in etc (Since my provider doesnt use PPPOE I can't use the PIX's PPPOE Dialer).

If anybody has another idea then a bridge im ofcourse also open to it

Thanks in advance.

 

[JOAMON]

Do you have a single static, static IP block, or dynamically assigned ip addresses from
ISP?

 

[JUDGExKTF]

Hi,

Thanks for your reply.

I have a single static IP, which I want to bridge to the PIX (I think thats the best thing to do in this situation).

 

[JOAMON]

Any chance you got a copy of the ISP router config???

 

[JUDGExKTF]

This is a typical router setup for my ISP with NAT and DHCP:

!
version 12.2
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname <<hostname>>
!
enable secret >>>>(B1)<<<< ISP specific
!
ip subnet-zero
no ip domain-lookup
ip dhcp excluded-address >>>>(C1)<<<< From end user
!
ip dhcp pool bbned
   network >>>>(C2)<<<< >>>>(C3)<<<< From end user
   default-router >>>>(C1)<<<< From end user 
   dns-server >>>>(B2)<<<< From ISP 
!
!
!
!
interface Ethernet0
 ip address >>>>(C1)<<<< >>>>(C3)<<<< From end user 
 no shutdown
 no ip proxy-arp
 ip nat inside
!
interface ATM0
 no ip address
 no shutdown
 no atm ilmi-keepalive
 pvc 0 0/35 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl equipment-type CPE
 dsl operating-mode GSHDSL symmetric annex B
 dsl linerate AUTO

!
interface Dialer0
 ip address negotiated
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no peer default ip address
 ppp authentication pap callin
 ppp pap sent-username >>>>(C4)<<<< password >>>>>(C5)<<<<<
!
ip nat inside source list 101 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
no ip http server
!
access-list 101 permit ip >>>>(C1N)<<<< >>>>(C3I)<<<< any
dialer-list 1 protocol ip permit
!
line con 0
 transport input none
 stopbits 1
line vty 0 4
 password >>>>(B1)<<<<
 login
!
scheduler max-task-time 5000
end

 

[JOAMON]

What I would do is call the ISP and tell them you want the CPE equipment to be setup in bridge mode only with no nat or dhcp. That way you can leave the static IP on the PIX and not have to change anything else.

 

[JOAMON]

You could also purchase a static 8 block, turn of nat and dhcp on the router, put 1st useable ip on router and 2 useable on pix. This would also give you additional addresses for expansion later on.

 

[JUDGExKTF]

Hmm, that would be a possibility, but I want to see how far I can come with the equipment I got from them.

After some searching I also found a NO nat NO dhcp setup for the router. With this setup e0 of the router gets the WAN adres (public ip). Any thoughts on howto bridge e0 of the router with the PIX with this setup?

!
version 12.2
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SOHO78
!
enable secret >>>>(B1)<<<< ISP specific
!
ip subnet-zero
no ip domain-lookup
!
!
interface Ethernet0
 no shutdown
 ip address >>>>(C1)<<<< >>>>(C3)<<<< From ISP
 no ip route-cache
 no keepalive
!
interface ATM0
 no shutdown
 no ip address
 no ip route-cache
 no atm ilmi-keepalive
 pvc 0 0/35 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl equipment-type CPE
 dsl operating-mode GSHDSL symmetric annex B
 dsl linerate AUTO
!
interface Dialer0
 ip unnumbered Ethernet0
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username >>>>(C4)<<<< password >>>>>(C5)<<<<<
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
no ip http server
!
dialer-list 1 protocol ip permit
!
line con 0
 transport input none
 stopbits 1
line vty 0 4
 password >>>>(B1)<<<<
 login
!
scheduler max-task-time 5000
end

>>>>(B1)<<<<  Password used for access to CPE. Valid for telnet, console and enable. Supplied by ISP in interconnect form
>>>>(B2)<<<<  IP address of DNS server (DHCP only) Supplied by ISP in interconnection form

>>>>(C1)<<<<  IP address of ethernet port of CPE: supplied by the ISP it is the first valid IP address of the supplied routed subnet 
>>>>(C2)<<<<  Network address for DHCP server (usually network address of C1)
>>>>(C3)<<<<  Subnet mask for Ethernet port of CPE and range for DHCP server. Supplied by ISP
>>>>(C4)<<<<  PPP username supplied by end user (from letter of ISP)
>>>>(C5)<<<<  PPP password supplied by end user (from letter of ISP)

 

[JOAMON]

With only one IP routeable address you need that on the PIX so basically the router needs to be turned into nothing more than a DSL modem. Have you discussed this with your ISP?

 

[JUDGExKTF]

Yes i've talked to them about it, but they are nothing more then sheep ;-). They only supply this modem/router and refer me to cisco if I want something else, they can't tell me anything about bridging either :-(. So thats why I want to see how far I can come with the current equipment.

Would it be possible to acomplish the bridge with the "no ip routing" command on the modem/router? And then to use the bridge-group command to bridge the ATM0 and E0 interface?

 

[JOAMON]

Okay....found this and this is what I was thinking of...do not know if this will work with your ISP but basically it will dumb down therouter to function as a modem. Just need to figure out where and how to place the ppp authentication. This way you can have the static ip routeable address on the PIX. Does your pix support any VPN site to site or VPN client connections? If this does not work still think getting a static IP 8 block best way to go.

no ip routing
!
interface ethernet0
no shut
no ip directed-broadcast
bridge-group 1
!
interface atm0
no shut
no ip address
no ip directed-broadcast
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5mux
!--- Common PVC values supported by ISPs are 0/35 or 8/35.
!--- Confirm your PVC values with your ISP.
!
bridge-group 1
!
bridge 1 protocol ieee
!
end

 

[JUDGExKTF]

I fooled arround a little with the bridging mode of the router and the vpn client of the pix. I got it to work, but its ugly.

I think i'll go with the static IP block solution. Giving all the servers an unique external IP is a beter idea anyway.

Thank you for your help/time Joamon!