PIX to 877 router, static NAT

Hi,

What i understood is following:

Internet ------------------------Router 877 ------------------ PIX------------DMZ and LAN Dynamic IP----------10.0.0.2 10.0.0.1----------- Intenal IP Scheme

Its not possible PIX cant just forward all the traffic cuming to inside for the outside interface but what it can do is to forward internal traffic toeternal interface and next hop to communicate with other dvices but it willchnage the header field with PAT and Vice Versa.

CK

snipped-for-privacy@hotmail.com wrote:

Thanks for the reply, this is more of an 877 router issue actually, i wish to forward all packets with a single address translation from the public IP to the ip of the pix's external interface, 10.0.0.1. I have seen on other routers you can nominate a default/dmz host whereby all packets without any pat entries will forwarded to a particular host. Is this possible on the 877? It certainly is on cheaper routers.

Thanks

yes its possible you have to define the default next hop for all incoming traffic from the public ip..

1) Map inside ip to 10.0.0 series (vrtual ip) 2) Create Acl

Acl out_in permit host public ip host virtual ip eq service name/port numuber Access group out_in out interface outside.

3). + router need to forward 10.0.0.1 subnet to ISP.

CK

snipped-for-privacy@hotmail.com wrote:

try "ip nat inside source static 10.0.0.2 interface dialer 0"

or use the 877 as a bridge and let the PIX to use PPPoE. In the second case the 877 is underused and you could get a low cost modem with an ethernet port instead of a more expensive 877.

HTH Alex.

Many thanks, i did just that and it works perfecly :)

with an ethernet port instead of a more

I am interested in using the PPPoE mode, i have done this with linux and a linksys modem before. As im new to cisco (as youve guessed!) would appreciate any guidance to setup the 877 to do PPPoE bridging (i wont have any other use for the 877 anyways, i dunno why the guy bought all this expensive equipment in the first place as a lot of it is redundant or overspeced for our network!).

Cheers,

Chris

I've done that with a NetBSD and Linksys modem and the solution didn't work too well:

1.) The LinkSys modem didn't report the proper MTU to the ISP's router. As a result the ISP's router used an MTU of 1500 bytes on the PPPoA connection while the NetBSD box used 1492 on the PPPoE connection. That caused various problems. 2.) The LinkSys didn't recover from DSL failures several times. I had to power cycle it to get the DSL working again afterwards.

I'm only using a 877W for a few week but at the one occasion when the DSL failed it got the line working again automatically after the fault was fixed.

What I don't understand is why you need the PIX. The Cisco 877 supports packet filtering and inspection, NAT, VPN tunnels, traffic policies and similar features. So I would rather try to get rid of the PIX.

Kind regards

If you want to throw away the PIX, I'm here!!! :-) I'm joking.

Anyway, I haven't done it before but AFAIK you should create a bridge group and put both the dialer and VLAN1 interface on that interface. Move onwards that direction.

HTH Alex