Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Using a PIX, a Router with only one non-static IP address..

Posted on 2002-07-22
Medium Priority
Last Modified: 2010-04-17
Hi Guys,

I bascially want to use my PIX 515 so I don't have to run Zone Alarm, et al. on each PC -- I've asked a few questions before, but i'm looking for a bit of advice as to the best way to set this up...

Here's the gear:
ADSL Single IP address (non-static)
Asus Router
Pix 515 F/W
Ethernet hub
3 pc's.


Here's the idea: (IP's changed to protect the innocent)

IP address is assigned by ISP, to the Asus router (

Asus router is then using NAT, and has an internal IP address,  PIX outside IP is set to

(Theory: This means that the PIX can ping from via and out to and beyond.. ?)

The PIX inside IP - and runs NAT/DHCP to offer the client PCs an IP address in that range.


So, PC1 goes through the PIX, which in turn goes through the Asus router and gets internet..

Question: Is this the best way of setting this up ? -- As I mentioned before, all I want is to be able to have the hardware f/w instead of running individual software firewalls.

Question: Any fatal flaws in my theory ?

I'm doing this to try and learn something about Cisco PIX's, so an answer like "don't bother with all that, just use Zone Alarm.." isn't really going to help me.. :)

Thanks for reading and a thousand thanks in advance for any (useful) advice offered! (and 200 pts for the best one :))


Question by:grayp1
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1

Expert Comment

ID: 7169376
First of all, let me congratulate you on the choice of the Cisco PIX firewall.  I use the 515 in my organization also.  Yes there are more feature rich software based firewalls available, but the PIX is fast, and that's more important to me.  Besides, it does what it advertises, and that's also good.
Anyway, as long as your setup works, it is the best way.  Your basic setup looks fine, but without the configuration file, nobody will be able to help "tweak" your setup.  Not that it's really necessary.  Just follow Cisco's advice on securing your PIX and you should be OK.  If you haven't already, check out the following link.


Expert Comment

ID: 7169492
Is your ASUS router also your ADSL modem?  If not, then it is probably unnecessary to use it now that you have a PIX.  

At typical broadband connection is usually setup something like this:
ISP --> Broadband modem --> PIX --> HUB --> PCs

For example, in my home office, I use a PIX 501 for firewall protection.  I have an ethernet connection coming from my cable modem which plugs directly into the outside interface of my PIX (no "router" needed).  I use a simple default route in the PIX to pass traffic to the Internet.  The outside interface of the PIX is assigned a public address by my ISP's DHCP server.  The inside interface is on my 10.x.x.x network and acts as a DHCP server for my PCs.  This setup works very well for me.

Remember though, the PIX is not meant to be a router, so if you are doing some specialized routing, then your setup looks fine.  Otherwise, the router is unnecessary and actually poses a security concern (it's one more piece of equipment monitored for hack attempts).

Of course, this is all meaningless if the router is built into your ADSL modem.  <<SHRUG>>  

Good luck!


Author Comment

ID: 7169518
..thanks for replies back so far!

Just to add further details as required:

mbruner: My Asus Router IS also the ADSL Modem, sorry I didn't mention that before!

What I would like to do is the same as your setup:
Use the Asus Router/Modem to pass the traffic directly to the PIX, but I can't work out how I can do that ?

If I set the Asus router/modem into Bridged mode, what IP address do I have to assign to:

The Asus Router/Modem...?
The Outside Interface of the PIX...?

Yours confusedly,

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Expert Comment

ID: 7169577
That's cool.  

If you set the Asus to bridged mode, then it shouldn't be assigned an address.  Instead, it will act like more of a hub (or bridge) than a router.  The outside interface of the PIX will be assigned an IP address through DHCP exactly like the Asus was when it was setup in routing mode.

If you can't get that to work, you could always put the PIX in like you originally stated.  Unfortunately, this means that your traffic will go through the NAT process within the PIX and within the router, which adds complexity and reduces throughput.
LVL 17

Expert Comment

ID: 7171611
Okay, I have a question. Do you use NAT on the Asus to get everyone onto the internet, or, do you have some live IP addresses on the network that need to be available to the internet?

Author Comment

ID: 7171623

I took a look at my Asus last night, and I can't use it as a "bridge" as such. :(

Mikecr: I do use NAT on the Asus so all the PCs can talk to the internet.  

I only have 1 live IP address, which the Asus takes, so thats why I figured I needed to use NAT on the Asus to the outside interface on the Pix and then the Pix does NAT/DHCP to the machines on the network.

LVL 17

Expert Comment

ID: 7171673
Okay, I'm with you now. Now I have another question. Why do you need a firewall? If you have no live IP's on  your network and your natting your whole internal network to the internet, it is EXTREMELY hard to hack anything if you don't have anything to hack. Any external forces attempting to get into your network are going to be stopped at the router anyhow. The only advantage that you may get out of having a firewall is limiting places that the internal users can go and what traffic you will allow outbound. Was this what you were anticipating?

Author Comment

ID: 7171786

Well, my need for a firewall isn't /really/ required, for the reasons you mentioned.. The goal of the project is basically to teach myself a bit about how the PIX works; I figured that fitting it "somewhere" into my small network was the best way of learning it...

Accepted Solution

mbruner earned 800 total points
ID: 7171958
That's okay.  You can still set it up the way you originally described.  However, depending on how functional your ASUS router is, you will probably have to do a double NAT on your data (once as it traverses the PIX and once as it traverses the router).  This may gum up some multimedia applications and such, but for the most part, it should work fine.  

I'll try to diagram an example setup below.

.    ISP
.     |
.     | Public Address
.   ASUS
.     |.1
.     |
.     |          |
.     |.2        |.3
.    PIX        PC
.     |.1
.     |
.  |              |
.  |.2            |.3
. PC             PC

This setup will allow you to play with a lot of the NAT options, like one-to-one NATs, PAT, and combinations of both NAT and PAT.  You can also put your PC's in multiple places on the network to test data traversal through the PIX (I've shown a couple above).  

All in all, its a pretty good setup for learning.  Try it out and let us know if you run across any problems.

Author Comment

ID: 7171988

Thanks all, especially MBruner, for help and advice.

I'll attempt to put it all together over the next few weeks and no doubt will be throwing up a few more questions!


Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question