[Last Call] Learn how to a build a cloud-first strategyRegister Now


Cisco PIX 501 setup question

Posted on 2004-11-07
Medium Priority
Last Modified: 2010-04-10
Hello all, I recently purchased a Cisco PIX 501 and have some general questions. Here is the current configuration.

* Our company has 5 static ip addresses. the first 207.*.15.89 is the public ip address.
* I have a Cisco 675 router connected to the internet. I have turned off DHCP and NAT on the router and assigned the eth1 interface one an ip address of 207.*.15.90 (another of our static ips)
* I have set the outside interface of the PIX to 207.*.15.91, and defined the gateway as the 207.*.15.90 ( eth1 on 675 )
* I have turned on DHCP on the PIX with a - range to hand out
* I have a total of 6 computers I would like to have access the internet and 1 computer that needs to be reachable from the internet.

Here are my questions:
* Is this the correct (given the situation) way to set up the 675 router?
* I would like to allow traffic from the internet to our mail and web server at, how is this performed?
* I dont understand global pools, Is it yet another layer of address translation, and where do you get the ip addresses for it?another private set of IPs?

I have a book on PIX, but am having a hard time nailing some of the concepts.

Thanks in advance - Eric
Question by:ericmiller74
1 Comment

Accepted Solution

cnewgaard earned 375 total points
ID: 12520055
1.  Yes.  Your router seems to be configured correctly for your setup

2.  To allow traffic to get to your web and mail you need two parts.  One is an access list the other is a static NAT translation of the IP address.

     a.  First setup static nats by doing this command  static (inside,outside) 207.*.15.92
          This is assuming .92 is the next free IP address in your scope

     b.  Make an access list using the command access-list 101 permit tcp any host 207.*.15.92 eq www
          For mail just replace www with smtp or pop3

     c.  Lastly type the command access-group 101 in interface outside    this binds that access list to the outside interface to allow traffic in

You can also use port numbers on the access list if you like i.e. www=80  smtp=25   etc.

The global pool is used in PAT or port address translation which translates all traffic going out to the IP of the outside interface on the PIX.  Once you have an IP on the outside interface you're all set.  No need to use up another IP address.

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question