I have a cisco pix 515e (running fos 8.x).
Until yesterday we had a T1 through AT&T. It was horrible beyond belief, and expensive, so we finally got rid of it. With the T1 they gave us a network of public IPs and we just set them up on the PIX and natted using the default external interface IP (at one point we had a DMZ and a few servers, we've moved them all out of the office now).
Now we have a Comcast cable modem/router. You can turn off DHCP, but you can't turn off NAT. By default it uses 10.1.10.0/24, with it being .1.
I set the external interface on the pix to 10.1.10.2, and set 10.1.10.2 as the "DMZ" IP in the comcast router (which should bypass the firewall and send everything to the pix). I also updated the route on the pix to use 10.1.10.1 as the default gateway on the external interface - this is the only route I have set.
No traffic will pass through the pix. The pix can ping 10.1.10.1, and the internal network can ping the pix. The pix is logging something along the lines of:
"Through-the-device packet to/from management-only network is denied"
Can the pix not NAT a private IP block? I wonder because I've seen other devices that required some hidden configuration to tell it that it was OK to NAT it. I guess to test I could pick some tiny little public /30, but this is a live environment so I don't want to screw around too much.
Obviously the config would be helpful, and will be posted tomorrow morning when I get in to the office.
The other thought would be to just let the Comcast router handle the NAT (make it the default GW) and set a static route a the pix (give it some other address on the local lan) for VPN traffic - the pix does a site-to-site VPN to our datacenter which is why I need to keep it in the picture. An extra hop for VPN traffic, but that doesn't bother me.
Start Free Trial
