Question : Set up Cisco 1751 with ADSL WIC to work with PIX 506E

I have a Cisco 1751 router with an ADSL WIC card, an Ethernet WIC card and a built in FastEthernet port. I have a Cisco 506E PIX. I have Sprint DSL with 1 static IP. The way it stands now, the DSL line comes out of the wall into the ADSL port of the 837 router, out the 1st switch port of the router into the outside interface of the PIX. I have the public IP address from Sprint assigned to the outside interface of the PIX. I need to replace the Cisco 837 with the 1751 with an ATM ADSL WIC card. I only have one public IP to deal with so I wanted to know the best way to configure this. Currently the PIX is doing the NAT to the inside. I will include my configs for all three devices.

Cisco 837:

version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ADSL
!
enable secret 5 $1$CD36$cPWoqEEwFKq3JNuCE79.L0
!
username CRWS_Bijoy privilege 15 password 7 134146563C5D020B6F2B793C06070306475B50010D0B06075C5B
clock timezone IND 5
no aaa new-model
ip subnet-zero
no ip routing
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
no ip address
no ip route-cache
bridge-group 1
hold-queue 100 out
!
interface ATM0
no ip address
no ip route-cache
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5snap
!
dsl operating-mode ansi-dmt
bridge-group 1
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip classless
ip http server
no ip http secure-server
!
access-list 23 permit 10.10.10.0 0.0.0.255
bridge 1 protocol ieee
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
!
end

_______________________________________________________________________________________________

Cisco PIX 506E

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password v914w4bB4kaU0ypy encrypted
passwd OZk0LVfY42vMqD6A encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone EST -5
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.4 Athlon
access-list PROTECT permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
pager lines 24
logging on
logging timestamp
logging history warnings
icmp permit host 12.19.xxx.xxx outside
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 65.41.xxx.xxx 255.255.xxx.xxx
ip address inside 192.168.1.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool pool 192.168.50.1-192.168.50.50
pdm location 192.168.0.0 255.255.255.0 outside
pdm location 192.168.50.0 255.255.255.0 outside
pdm location Athlon 255.255.255.255 inside
pdm location 12.19.xxx.xxx 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 65.41.xxx.xxx 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
ntp authenticate
ntp server 192.5.41.41 source outside
ntp server 192.5.41.40 source outside prefer
http server enable
http 12.19.xxx.xxx 255.255.255.255 outside
http Athlon 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside Athlon /
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp outside
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 20 set pfs group2
crypto dynamic-map map2 20 set transform-set ESP-AES-256-SHA
crypto map map1 10 ipsec-isakmp
crypto map map1 10 match address PROTECT
crypto map map1 10 set pfs group2
crypto map map1 10 set peer 68.84.xxx.xxx
crypto map map1 10 set transform-set ESP-AES-256-SHA
crypto map map1 20 ipsec-isakmp dynamic map2
crypto map map1 client authentication LOCAL
crypto map map1 interface outside
isakmp enable outside
isakmp key address 68.84.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 20 10
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn address-pool pool
vpngroup vpn split-tunnel 102
vpngroup vpn pfs
vpngroup vpn idle-time 1800
vpngroup vpn password
telnet Athlon 255.255.255.255 inside
telnet timeout 15
ssh 12.19.xxx.xxx 255.255.255.255 outside
ssh timeout 10
management-access inside
console timeout 30
dhcpd address 192.168.1.100-192.168.1.254 inside
dhcpd dns 4.2.2.2 4.2.2.3
dhcpd lease 21600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username xxxx password ZKvuR/E4cb5TutkE encrypted privilege 15
terminal width 80
banner exec Enter your password carefully
banner login Enter your password to log in
banner motd Authorized Access only
banner motd This system is the property of xxxx.
banner motd UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
banner motd You must have explicit permission to access this
banner motd device. All activities performed on this device
banner motd are logged. Any violations of access policy will result
banner motd in disciplinary action.
Cryptochecksum:545b85613216c8da12029f5fc856dc93
: end

_____________________________________________________________________________________________

Cisco 1751 Router ( I know that this isn't even close to right. I have been trying so many diffrent configs)

version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router1751
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096 debugging
logging console critical
enable secret 5 $1$K6/V$WipJX7RZhMWEgB00lUsus/
enable password 7 094F461C170E0E44
!
username n9xrg password 7 0519030B3359435A48514F40585C5172
memory-size iomem 25
clock timezone IND -5
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_auth local
aaa session-id common
ip subnet-zero
no ip source-route
no ip gratuitous-arps
!
!
no ip domain lookup
!
no ip bootp server
ip cef
!
!
!
!
interface ATM0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache cef
no ip route-cache
no atm ilmi-keepalive
dsl operating-mode ansi-dmt
bridge-group 1
pvc 8/35
encapsulation aal5snap
!
!
interface FastEthernet0/0
ip address 192.168.1.30 255.255.255.0
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
speed 100
full-duplex
no cdp enable
!
interface Ethernet1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache cef
no ip route-cache
half-duplex
no cdp enable
bridge-group 1
hold-queue 100 out
!
ip classless
no ip http server
!
logging trap debugging
logging facility local2
logging 192.168.1.4
access-list 100 permit udp any any eq bootpc
dialer-list 1 protocol ip permit
no cdp run
bridge 1 protocol ieee
banner motd ^C
Authorized Access only
This system is the property of xxxx.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action. ^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
line aux 0
password 7 08606C0D4D5C3B51
login authentication local_auth
transport output telnet
line vty 0 4
password 7 074E010F0A4C2743
login authentication local_auth
transport input telnet
!
scheduler allocate 4000 1000
end

_____________________________________________________________________________________________

I thought that if I mirrored the config of the 837 to the 1751 on the ATM 0/0 and the Ethernet 1/0 port then I would be able to bring the traffic to the outside interface of the PIX. The way I had the 1751 set up is:

Sprint DSL line --> ATM 0/0 (of 1751) --> Ethernet 1/0 (of 1751) --> E 0 (outside interface of the PIX) --> E 1 (inside interface of the PIX) --> 2950 Catalyst switch

I have been told that the best way to configure it is to assign the ADSL WIC in the 1751 the public IP address. Question is what to do from there.

If you need any further information please ask. Any help would be greatly appreciated.

Answer : Set up Cisco 1751 with ADSL WIC to work with PIX 506E

Is the migrated configuration not working? (I don't immediately see any reason why it wouldn't.) I would do just as you have suggested, bridge the IP back to the PIX and let it take care of NAT. It is worth noting, however, that the IOS firewall is just about as good as the PIX in an environment such as yours -- that may require an IOS feature upgrade (can be very expensive), but then you wouldn't need the PIX at all. You can also NAT the full IP at the 1751 to the PIX and (optionally) NAT at the PIX using a private IP on the outside interface.

Random Solutions

learning NOVEL system

Hosts File with multiple IP's linked to common name

Setting up DMZ through DSL504 Router

Removing System Policies from a Win95 Workstation

Multiple Simultaneous VPN Connections in Windows XP Professional?

Share a firewire/usb external hard drive

Password Changing With Other Username

How can I make a input type radio in WML?!?

Slips on ISDN PRI

Permissions on new home network