Pages

Thursday, 25 August 2016

The ethernet has landed!

Today I got an email telling me that it was all connected up. So I connected the Pix to the outside line, and set about configuring it.

There's a bit of a trick to it, of course.  TalkTalk gave me a WAN IP (A), a Wan subnet mask (B) and a default gateway (C), and I had to work out where these went on the Pix. I tried a few different things, then gave up and called TalkTalk tech support. They didn't know anything about Pixes, but I got them to tell me how to set this up if I had a Windows box connected to their ethernet service, and I just translated Windows-speak to pix-lingo. Here's how.

The Wan IP and subnet mask goes to the Ethernet0 interface, which I call "outside".
The Default Gateway is set up under "Routing" and "Static Routes"

So you log in to the pix, using:

ssh pix525 -c des -1 -lpix  and give the login password (I call my pix "pix525").
enable                              and give the enable password
conf term                   to tell it you're about to change the configuration via the terminal

First the interface to the outside world, which I call "outside":

 interface Ethernet0
 description Gateway
 nameif outside
 security-level 0
 ip address A B

Then set the routing with:

route outside 0.0.0.0 0.0.0.0 C 1   where C is the address I got from TalkTalk




And then I can ping 8.8.8.8, which is Google. And I set up a DNS, so I can also ping google.com

When I look at the Pix logs, I see tons and tons of attempts to connect, all denied by the rules I've set up on the Pix. So the Pix is connected to the outside world, and is doing its job of blocking incoming connections that I don't allow.

By the way, if you're setting up a Pix, use the ASDM gui configuration tool, it's a *lot* easier than writing the command line stuff. I have a Pix with this, and one without, so I do the setup on the one with, output the configufation using "show conf", and use that to set up the one without ASDM.

Now I have to start connecting computers to the pix, and check that access works when it should, and is blocked when it shouldn't.

No comments:

Post a comment