Static IP addresses on PIX 501

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
drepouille
Senior Member
Posts: 1230
Joined: Sun Jul 01, 2007 5:06 pm
Location: Plattsmouth, NE
Contact:

Static IP addresses on PIX 501

Postby drepouille » Sun Jan 20, 2013 5:23 pm

Our stake still uses Cisco PIX 501 firewalls in four meetinghouses. One of the units constantly complains about their Internet going down, and IP conflicts popping up. They have DSL service through Windstream. I ran speedtest.lds.org there today, and got close to 1 MB download speed, and 300K upload speed.

They have three wired computers and one wired printer. The printer had been set to use a static xxx.xxx.xxx.10 IP address when it was installed a year ago. The three wired computers were typically issued dynamic IP addresses of 14, 15, and 16.

I have no idea which static IP addresses can be used by computers on a PIX 501, and I doubt the weekend crew on the Global Service Desk knows either.

Today, I changed all four devices to use the following static IP addresses:
xxx.xxx.xxx.3 = FHC printer
xxx.xxx.xxx.4 = FHC Dell Optiplex 780
xxx.xxx.xxx.11 = FHC hp 7600
xxx.xxx.xxx.10 = Clerk's Dell Opltiplex 740

Some low-numbered IP addresses appeared to be in use by something -- maybe some FM equipment? The PIX used the gateway address of xxx.xxx.xxx.1, and the subnet mask was 255.255.255.192 for all devices. I found xxx.xxx.xxx.2 and xxx.xxx.xxx.8 to be in use by something.

The IP addresses xxx.xxx.xxx.5, 6, 7 and 9 would work for local access only -- no Internet access. I tried playing around with the DNS address, which originally was 192.168.254.254 for all devices. I changed the DNS to 8.8.8.8 and 8.8.4.4, but that didn't help these IP addresses, so I assume they are reserved for printers.

I hope I didn't do anything wrong by assigning xxx.xxx.xxx.4 to the Dell Optiplex 780 computer. It seems to work quite well at that address. I also hope that this unit doesn't complain about IP conflicts again. By the way, the FM is planning to replace the PIX sometime this year.
Dana Repouille, Plattsmouth, Nebraska

User avatar
aebrown
Community Administrator
Posts: 14693
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Re: Static IP addresses on PIX 501

Postby aebrown » Sun Jan 20, 2013 5:30 pm

It sounds rather risky to assign static IP addresses to devices when you don't have any idea what other devices might be using those addresses. You should never use any static IP addresses unless:
  • You are clear on what portion of the IP range for the subnet is devoted to static IP addresses; and
  • You have a clear list of exactly which static IP address is assigned to each device
Otherwise you're just asking for trouble; you might not have the trouble right away -- it might not show up until the other device whose IP address you just assigned tries to do something.

Any network tech at the GSC should be able to tell you the range assigned on the PIX 501 for static IP addresses; that's pretty simple for anyone with access to the device.

drepouille
Senior Member
Posts: 1230
Joined: Sun Jul 01, 2007 5:06 pm
Location: Plattsmouth, NE
Contact:

Re: Static IP addresses on PIX 501

Postby drepouille » Sun Jan 20, 2013 5:39 pm

aebrown wrote:Any network tech at the GSC should be able to tell you the range assigned on the PIX 501 for static IP addresses; that's pretty simple for anyone with access to the device.


I agree, but past calls to the Global Service Center have produced shrugs and requests that I immediately replace my ASA or PIX with a 881W. This is especially true for the weekend crew. When I wanted to use static IP addresses on the ASA 5505 at the stake center, I called on a weeknight in hopes to get a more experienced tech. He didn't know much about the ASA, but he was able to increase the pool of static IP addresses for me without incurring additional expense. I think he admitted that the PIX would be beyond his scope of knowledge.

When I was in the attic today (the access stairway is in the ceiling of the Primary room), I noticed one cable connecting the PIX to a patch panel port labeled "Sprinkler". I thought that was odd.

If that ward calls me with a complaint, I can talk them through resetting to Dynamic IP addresses.
Dana Repouille, Plattsmouth, Nebraska

User avatar
johnshaw
Senior Member
Posts: 1839
Joined: Fri Jan 19, 2007 1:55 pm
Location: Syracuse, UT

Re: Static IP addresses on PIX 501

Postby johnshaw » Sun Jan 20, 2013 7:14 pm

Dana,

In my older PIX or ASA implementations that have a 255.255.255.192 mask and the Default Gateway as the .1 The Static Range is setup with 8 total addresses, .2 - .9 -- The Dynamic Range is setup with .10 - .50

I would assign all static address in the .2 to .9 ranges - with an older PIX you might have a wireless access point in there and if you have a newer water sprinkling system - our area/region FM loves these things lately it might have a static assigned as well.

Pinging the address in succession, .2 through .9 will give you the addresses that are already existing... arp -a will give you the mac addresses if you're interested.
“A long habit of not thinking a thing wrong, gives it a superficial appearance of being right, and raises at first a formidable outcry in defense of custom.”
― Thomas Paine, Common Sense

drepouille
Senior Member
Posts: 1230
Joined: Sun Jul 01, 2007 5:06 pm
Location: Plattsmouth, NE
Contact:

Re: Static IP addresses on PIX 501

Postby drepouille » Sun Jan 20, 2013 7:29 pm

I forgot about ping. I use it all the time on my UNIX systems at work.

There is one WAP, probably a 1401n installed during the remodel a year ago. I wonder if that was affected by the wireless glitch a few weeks ago.

I tried to use .2 through .9, but only .3 and .4 worked. The others were either taken or would not allow the PC to access the Internet. The printer had been using .10 for the past year, but I changed it to .3 (and verified by printing test pages from both PCs in the FHC). I am taking chances assigning .10 and .11 to PCs, hoping those could be used as static IPs.

The FM knows that I want him to replace all the PIX 501s this year. They have to be replaced before the ASA 5505s are replaced.
Dana Repouille, Plattsmouth, Nebraska

User avatar
aebrown
Community Administrator
Posts: 14693
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Re: Static IP addresses on PIX 501

Postby aebrown » Sun Jan 20, 2013 7:54 pm

JohnShaw wrote:In my older PIX or ASA implementations that have a 255.255.255.192 mask and the Default Gateway as the .1 The Static Range is setup with 8 total addresses, .2 - .9 -- The Dynamic Range is setup with .10 - .50

Our PIX was set up differently from that, so although that might match your setup, it might not.

russellhltn
Community Administrator
Posts: 20767
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Static IP addresses on PIX 501

Postby russellhltn » Sun Jan 20, 2013 8:01 pm

Not everything responds to ping.
Have you searched the Wiki?
Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

lajackson
Community Moderators
Posts: 6144
Joined: Mon Mar 17, 2008 9:27 pm
Location: US

Re: Static IP addresses on PIX 501

Postby lajackson » Sun Jan 20, 2013 9:04 pm

drepouille wrote:I noticed one cable connecting the PIX to a patch panel port labeled "Sprinkler". I thought that was odd.

Our FM group has fixed IP addresses on the network to use for things just such as that. If their lawn does not get watered the next time it should . . .

I think you really might want to coordinate and see what FM has set up for their monitoring of building and grounds systems.

drepouille
Senior Member
Posts: 1230
Joined: Sun Jul 01, 2007 5:06 pm
Location: Plattsmouth, NE
Contact:

Re: Static IP addresses on PIX 501

Postby drepouille » Sun Jan 20, 2013 9:27 pm

lajackson wrote:I think you really might want to coordinate and see what FM has set up for their monitoring of building and grounds systems.


Working on it. We are pretty good friends, after all. I'm just not sure if the FM has a working knowledge of what "static IP" means. I addressed him, his office assistant, and the FM tech who used to be our stake clerk.
Dana Repouille, Plattsmouth, Nebraska

russellhltn
Community Administrator
Posts: 20767
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Static IP addresses on PIX 501

Postby russellhltn » Sun Jan 20, 2013 9:31 pm

My understanding is that with the 881, they have their own network using a dedicated port on the 881. I'm not sure if the 501 can do that. If not, then that's just more incentive for them to upgrade sooner then later.
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.


Return to “Meetinghouse Internet”

Who is online

Users browsing this forum: No registered users and 1 guest