I'm a PIX newbie and I'm having a problem with what should be a simple and common configuration.
The PIX sits between my DSL modem and the switch for my internal network. I have a single static, routable IP address (in addition to the gateway address) and my internal network uses private addresses (192.168.1.x).
I want to use PAT to translate my internal private addresses into the single public static IP address on the outside interface. I also have several servers on my internal network that I want to redirect to from the single public IP based on port as follows:66.124.x.y:25 -> 192.168.1.2:25 66.124.x.y:53 -> 192.168.1.2:53 66.124.x.y:119 -> 192.168.1.7:119
DSL PIX Switch Internal Network66.124.x.z 66.124.x.y 192.168.1.1 192.168.1.2-10
Here's part of my PIX config (I don't have it all here, so this is just the relevant parts):
nameif ethernet0 outside security0 nameif ethernet1 inside security100 ip address outside 66.125.x.y 255.255.255.248 ip address inside 192.168.1.1 255.255.255.255 hostname firewall nat (inside) 1 0 0 global (outside) 1 66.124.x.y route outside 0.0.0.0 0.0.0.0 66.124.x.z static (inside,outside) tcp 66.124.x.y smtp 192.168.1.2 smtp netmask \\255.255.255.0 0 0 static (inside,outside) udp 66.124.x.y domain 192.168.1.2 domain \\ netmask 255.255.255.0 0 0 static (inside,outside) tcp 66.124.x.y 119 192.168.1.7 119 netmask \\ 255.255.255.0
I've omitted the ACLs that permit the inbound mail, DNS, and NNTP traffic...
Here's my problem--the PIX 6.3 configuration manual says this of the syntax of the static command: "Replace global_ip with the outside (global) IP address. In general, this is the interface with the lower security level. This address *cannot* be a PAT IP address."
There lies the rub: if I only have a single static IP address, how can I use it as the translation address for outgoing PAT and the global IP address for the static command when the manual says it cannot be a PAT address? Am I doing something wrong, or is this a limitation of the PIX software?