Pix configuration change

Wanted to ask a quick question about the configuration of a IP change to my Pix. We currently use the DHCP Setroute to obtain IP address information provided by our ISP, however we are bringing a DMZ online and have made the switch to 2 static IP address. I presume all I need to do is program the IP address into the outside and dmz interfaces, our ISP is currently binding our MAC address from both interfaces to both IP address. Is there anything I need to be careful of? Any commands to execute after reconfiguring the IP address? We intended to put a Exchange relay, ftp and www server in the dmz. Thanks in advance for all of the advise!!
Who is Participating?

Improve company productivity with a Business Account.Sign Up

grbladesConnect With a Mentor Commented:
Here is the config to add to get the DMZ working. I assume you only have one machine in the DMZ?
If you have more than one then let me know what services each will be running

!define correct IP for dmz
ip address intf2
! allow incoming connections to dmz on desired ports
access-list outside_in permit tcp any host eq smtp
access-list outside_in permit tcp any host eq ftp
access-list outside_in permit tcp any host eq www
access-list outside_in permit tcp any host eq https
access-group ourside_in in interface outside
! setuup 1 to 1 mapping between DMZ IP and outside
static (intf2,outside) nemask 0 0
! don't do NAT from inside to DMZ
access-list 101 permit ip
Hi Blackmoon91,
I assume you have at least a PIX 515 with 3 interfaces?

You need to fix the external IP address and then add a static NAT mapping for the second IP address through to the IP address of the server in the DMZ. You then need to add/modify the access-list assigned to the external interface.

If you want to post your configuration I will tell you what you need to change.
Blackmoon91Author Commented:
Thanks for the post, have kinda of a urgent situation that could use some help on. Some time ago my suddenly dropped off the net, and I have as of yet not been able to restore it. I have gone over the ip address setups and configurations, as well as nat and route statements and have not be able to get out. What I have found is the outside interface can ping the default gateway, and users on the intranet can ping the gateway out, somewhere it is losing the translation or hasn't been cleared correctly. I will post ip information also as well as route and global statements. The user who can tell me what I missed, and continue our question from before will have some points to add by day's end.  But really guys thanks for all the help, everyone knows how it feels to fall off the net ( I hope)

PIX Version 6.2(3)                  
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
nameif ethernet2 intf2 security10                                
enable password 2KFQnbNIdI.2KYOU encrypted                                          
passwd YHP/GpHoiUQdMATS encrypted                                
hostname MeccaNetPix                    
domain-name domain.com                          
fixup protocol ftp 21                    
fixup protocol http 80                      
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol ils 389                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol sip 5060                      
fixup protocol skinny 2000                          
fixup protocol sip udp 5060                          
access-list 101 permit ip                                                                            
access-list 102 permit ip                                                                            
no pager        
logging trap notifications                          
interface ethernet0 auto                        
interface ethernet1 auto                        
interface ethernet2 auto shutdown                                
mtu outside 1500                
mtu inside 1500              
mtu intf2 1500              
ip address outside           not acutal IP, however last digits are correct (.41), gateway at (.1)  subnet                              
ip address inside                                          
ip address intf2                                          
ip audit info action alarm                          
ip audit attack action alarm                            
ip local pool ippool                                              
no failover          
failover timeout 0:00:00                        
failover poll 15                
failover ip address outside                                  
failover ip address inside                                  
failover ip address intf2                                
pdm logging informational 100                            
no pdm history enable                    
arp timeout 14400
global (outside) 1 interface                            
nat (inside) 0 access-list 101                              
nat (inside) 1 0 0                                  

conduit permit icmp any any                          
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si                                                                                
p 0:30:00 sip_media 0:02:00                          
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server LOCAL protocol local                              
no snmp-server location                      
no snmp-server contact                      
snmp-server community public                            
no snmp-server enable traps                          
floodguard enable                
sysopt connection permit-ipsec                              
no sysopt route dnat                    
crypto ipsec transform-set myset esp-des esp-md5-hmac                          
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup meccanet address-pool ippool
vpngroup meccanet dns-server
vpngroup meccanet wins-server
vpngroup meccanet default-domain domain.com
vpngroup meccanet idle-time 1800
vpngroup meccanet password ********
telnet inside
telnet timeout 5
ssh timeout 5
terminal width 80
: end
You are missing the default route to your gateway. Add the following to the configuration :-

route outside 1
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.