PIX 506E Configuration Issue

Discussion in 'Cisco' started by Jerry Gardner, Nov 19, 2005.

  1. I'm a PIX newbie and I'm having a problem with what should be a simple
    and common configuration.

    The PIX sits between my DSL modem and the switch for my internal
    network. I have a single static, routable IP address (in addition to
    the gateway address) and my internal network uses private addresses

    I want to use PAT to translate my internal private addresses into the
    single public static IP address on the outside interface. I also have
    several servers on my internal network that I want to redirect to from
    the single public IP based on port as follows:

    66.124.x.y:25 ->
    66.124.x.y:53 ->
    66.124.x.y:119 ->

    DSL <---------------> PIX <-------------> Switch <-------> Internal Network
    66.124.x.z 66.124.x.y

    Here's part of my PIX config (I don't have it all here, so this is
    just the relevant parts):

    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    ip address outside 66.125.x.y
    ip address inside
    hostname firewall
    nat (inside) 1 0 0
    global (outside) 1 66.124.x.y
    route outside 66.124.x.z
    static (inside,outside) tcp 66.124.x.y smtp smtp netmask \ 0 0
    static (inside,outside) udp 66.124.x.y domain domain \
    netmask 0 0
    static (inside,outside) tcp 66.124.x.y 119 119 netmask \

    I've omitted the ACLs that permit the inbound mail, DNS, and NNTP

    Here's my problem--the PIX 6.3 configuration manual says this of the
    syntax of the static command: "Replace global_ip with the outside
    (global) IP address. In general, this is the interface with the lower
    security level. This address *cannot* be a PAT IP address."

    There lies the rub: if I only have a single static IP address, how can
    I use it as the translation address for outgoing PAT and the global IP
    address for the static command when the manual says it cannot be a PAT
    address? Am I doing something wrong, or is this a limitation of the
    PIX software?
    Jerry Gardner, Nov 19, 2005
    1. Advertisements

  2. [snip]

    Mine (501) is like:

    ip address outside A.B.C.D pppoe
    ip address inside

    (I'm running the PPPoE client on my pixie with:)

    access-list outside_in permit tcp any interface outside eq www
    access-list outside_in permit tcp any interface outside eq https
    global (outside) 1 interface
    nat (inside) 1 0 0
    static (inside,outside) tcp interface www www netmask 0 0
    static (inside,outside) tcp interface https https netmask 0 0
    access-group outside_in in interface outside

    Works fine. Getting the "default" route into mine (running 6.3.5) was
    amusing. I think the command I used was "route outside
    pppoe". Good ole' PIX OS reported some crap about OSPF MIB errors then
    promptly started routing packets..

    I've found that paying "too much" attention to the documentation can be
    detrimental.. Hope that helps.
    nntp.beanfield.com, Nov 20, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.