PIX 506E Configuration Issue

I'm a PIX newbie and I'm having a problem with what should be a simple and common configuration.

The PIX sits between my DSL modem and the switch for my internal network. I have a single static, routable IP address (in addition to the gateway address) and my internal network uses private addresses (192.168.1.x).

I want to use PAT to translate my internal private addresses into the single public static IP address on the outside interface. I also have several servers on my internal network that I want to redirect to from the single public IP based on port as follows:

66.124.x.y:25 -> 66.124.x.y:53 -> 66.124.x.y:119 ->

DSL PIX Switch Internal Network

66.124.x.z 66.124.x.y

Here's part of my PIX config (I don't have it all here, so this is just the relevant parts):

nameif ethernet0 outside security0 nameif ethernet1 inside security100 ip address outside 66.125.x.y ip address inside hostname firewall nat (inside) 1 0 0 global (outside) 1 66.124.x.y route outside 66.124.x.z static (inside,outside) tcp 66.124.x.y smtp smtp netmask \\ 0 0 static (inside,outside) udp 66.124.x.y domain domain \\ netmask 0 0 static (inside,outside) tcp 66.124.x.y 119 119 netmask \\

I've omitted the ACLs that permit the inbound mail, DNS, and NNTP traffic...

Here's my problem--the PIX 6.3 configuration manual says this of the syntax of the static command: "Replace global_ip with the outside (global) IP address. In general, this is the interface with the lower security level. This address *cannot* be a PAT IP address."

There lies the rub: if I only have a single static IP address, how can I use it as the translation address for outgoing PAT and the global IP address for the static command when the manual says it cannot be a PAT address? Am I doing something wrong, or is this a limitation of the PIX software?

Reply to
Jerry Gardner
Loading thread data ...


Mine (501) is like:

ip address outside A.B.C.D pppoe ip address inside

(I'm running the PPPoE client on my pixie with:)

access-list outside_in permit tcp any interface outside eq www access-list outside_in permit tcp any interface outside eq https global (outside) 1 interface nat (inside) 1 0 0 static (inside,outside) tcp interface www www netmask 0 0 static (inside,outside) tcp interface https https netmask 0 0 access-group outside_in in interface outside

Works fine. Getting the "default" route into mine (running 6.3.5) was amusing. I think the command I used was "route outside pppoe". Good ole' PIX OS reported some crap about OSPF MIB errors then promptly started routing packets..

I've found that paying "too much" attention to the documentation can be detrimental.. Hope that helps.

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.