Using a PIX, a Router with only one non-static IP address..

Hi Guys,

I bascially want to use my PIX 515 so I don't have to run Zone Alarm, et al. on each PC -- I've asked a few questions before, but i'm looking for a bit of advice as to the best way to set this up...

Here's the gear:
ADSL Single IP address (non-static)
Asus Router
Pix 515 F/W
Ethernet hub
3 pc's.


Here's the idea: (IP's changed to protect the innocent)

IP address is assigned by ISP, to the Asus router (

Asus router is then using NAT, and has an internal IP address,  PIX outside IP is set to

(Theory: This means that the PIX can ping from via and out to and beyond.. ?)

The PIX inside IP - and runs NAT/DHCP to offer the client PCs an IP address in that range.


So, PC1 goes through the PIX, which in turn goes through the Asus router and gets internet..

Question: Is this the best way of setting this up ? -- As I mentioned before, all I want is to be able to have the hardware f/w instead of running individual software firewalls.

Question: Any fatal flaws in my theory ?

I'm doing this to try and learn something about Cisco PIX's, so an answer like "don't bother with all that, just use Zone Alarm.." isn't really going to help me.. :)

Thanks for reading and a thousand thanks in advance for any (useful) advice offered! (and 200 pts for the best one :))


Who is Participating?
That's okay.  You can still set it up the way you originally described.  However, depending on how functional your ASUS router is, you will probably have to do a double NAT on your data (once as it traverses the PIX and once as it traverses the router).  This may gum up some multimedia applications and such, but for the most part, it should work fine.  

I'll try to diagram an example setup below.

.    ISP
.     |
.     | Public Address
.   ASUS
.     |.1
.     |
.     |          |
.     |.2        |.3
.    PIX        PC
.     |.1
.     |
.  |              |
.  |.2            |.3
. PC             PC

This setup will allow you to play with a lot of the NAT options, like one-to-one NATs, PAT, and combinations of both NAT and PAT.  You can also put your PC's in multiple places on the network to test data traversal through the PIX (I've shown a couple above).  

All in all, its a pretty good setup for learning.  Try it out and let us know if you run across any problems.
First of all, let me congratulate you on the choice of the Cisco PIX firewall.  I use the 515 in my organization also.  Yes there are more feature rich software based firewalls available, but the PIX is fast, and that's more important to me.  Besides, it does what it advertises, and that's also good.
Anyway, as long as your setup works, it is the best way.  Your basic setup looks fine, but without the configuration file, nobody will be able to help "tweak" your setup.  Not that it's really necessary.  Just follow Cisco's advice on securing your PIX and you should be OK.  If you haven't already, check out the following link.

Is your ASUS router also your ADSL modem?  If not, then it is probably unnecessary to use it now that you have a PIX.  

At typical broadband connection is usually setup something like this:
ISP --> Broadband modem --> PIX --> HUB --> PCs

For example, in my home office, I use a PIX 501 for firewall protection.  I have an ethernet connection coming from my cable modem which plugs directly into the outside interface of my PIX (no "router" needed).  I use a simple default route in the PIX to pass traffic to the Internet.  The outside interface of the PIX is assigned a public address by my ISP's DHCP server.  The inside interface is on my 10.x.x.x network and acts as a DHCP server for my PCs.  This setup works very well for me.

Remember though, the PIX is not meant to be a router, so if you are doing some specialized routing, then your setup looks fine.  Otherwise, the router is unnecessary and actually poses a security concern (it's one more piece of equipment monitored for hack attempts).

Of course, this is all meaningless if the router is built into your ADSL modem.  <<SHRUG>>  

Good luck!

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

grayp1Author Commented:
..thanks for replies back so far!

Just to add further details as required:

mbruner: My Asus Router IS also the ADSL Modem, sorry I didn't mention that before!

What I would like to do is the same as your setup:
Use the Asus Router/Modem to pass the traffic directly to the PIX, but I can't work out how I can do that ?

If I set the Asus router/modem into Bridged mode, what IP address do I have to assign to:

The Asus Router/Modem...?
The Outside Interface of the PIX...?

Yours confusedly,

That's cool.  

If you set the Asus to bridged mode, then it shouldn't be assigned an address.  Instead, it will act like more of a hub (or bridge) than a router.  The outside interface of the PIX will be assigned an IP address through DHCP exactly like the Asus was when it was setup in routing mode.

If you can't get that to work, you could always put the PIX in like you originally stated.  Unfortunately, this means that your traffic will go through the NAT process within the PIX and within the router, which adds complexity and reduces throughput.
Okay, I have a question. Do you use NAT on the Asus to get everyone onto the internet, or, do you have some live IP addresses on the network that need to be available to the internet?
grayp1Author Commented:

I took a look at my Asus last night, and I can't use it as a "bridge" as such. :(

Mikecr: I do use NAT on the Asus so all the PCs can talk to the internet.  

I only have 1 live IP address, which the Asus takes, so thats why I figured I needed to use NAT on the Asus to the outside interface on the Pix and then the Pix does NAT/DHCP to the machines on the network.

Okay, I'm with you now. Now I have another question. Why do you need a firewall? If you have no live IP's on  your network and your natting your whole internal network to the internet, it is EXTREMELY hard to hack anything if you don't have anything to hack. Any external forces attempting to get into your network are going to be stopped at the router anyhow. The only advantage that you may get out of having a firewall is limiting places that the internal users can go and what traffic you will allow outbound. Was this what you were anticipating?
grayp1Author Commented:

Well, my need for a firewall isn't /really/ required, for the reasons you mentioned.. The goal of the project is basically to teach myself a bit about how the PIX works; I figured that fitting it "somewhere" into my small network was the best way of learning it...
grayp1Author Commented:

Thanks all, especially MBruner, for help and advice.

I'll attempt to put it all together over the next few weeks and no doubt will be throwing up a few more questions!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.