Cisco 1605 to Cisco Pix with only one IP address

I have a customer who has a T1 coming into a 1605 with only one Routable IP address.  The current config has only the 1605 with a public address on Serial0 and a on Ethernet0.  Serial0 is the NAT address.  I want to put a PIX behind the 1605 and remove NAT (let the PIX handle the NAT).  I have done this with 2 routed addresses, but not with only one.  Is this possible?
Again, I want to end up with T1<->1605<->PIX<->Internal network.
Who is Participating?
rburns50Connect With a Mentor Commented:
I don't believe that this can be done without your ISP changing their environment. They could change the IP's on the endpoints of the T1 to be a private /30 subnet (i.e. and .2, with mask They would then route your original public IP to the new private IP at your end of the T1 (say it's, which you would configure on the T1-WIC card in the 1605. Then you would need to add a route to your 1605 router for the public IP, using e0 as the gateway, and put the public IP on the PIX port facing the 1605.

Sad to say though that most ISP's won't alter their routing schemes in this way...too much hassle for them. Technically doable, but socially maybe not.
Yes, it is possible with only one address.  I have done this however I had a Tasman where my 2 T1's connected to.  I have a Public Address on my PIX and then used a 10.0.0x subnet between the PIX and a 3200 Series router.  It should work with the 1605 first and the PIX behind it though.  Just make sure that the PIX routes all traffic to the 1605, and that you add a router for your local subnet on the 1605 so the traffic can pass though the PIX back to the local subnet.  I have recenbtly doen somethign similar with a dynaic address on a DSL router with a Cisco router behind it.  The most important thing to remember if the device closest to your local subnet needs to use the inside ip address of the outside device as its default gateway and the outside device(1605) needs to route traffic to the local subnet to the ouside ip address of the inside device(pix).  I would use a separate subnet between the devices to help avoid any confusion.  
JCRussellAuthor Commented:
The T1 is to the internet so the only real IP address we have is bound to the T1-WIC in the 1605.  Right now the 1605's e0 is the default gateway for all the clients and it runs access-lists and NAT so they need a firewall still.  But further than that they want to use the VPN capabilities.  Since they need to use the VPN, we can't nat and a reserved class IP won't route.  I guess I could use ip unnumbered and create static mapping, but then we are back to NAT or PAT, which in my experience does not work efficiently.  I was just wondering if there was any way to do this without having to go through the hassle of provisioning new IP's.
Do you have a range of IP Addresses that you can use, or just the one.  We did VPN with our PIX but it was in front of the router.  You should be able to forward to traffic from the router to the PIX.  You may also be able to put the T1-WIC in the PIX.  In my opinion it's better to have your firewall in front of your router, i'm sure others will disagree with this but thats how I do it.  Anyway, We had a range of IP Addresses but we only used 1 public address on our PIX, another public on the inside DMZ interface on the PIX, and a private IP address on the other interface on the PIX.  The router had private addresses on both of it's interfaces as well.  
Agreed with rburns50, ISP wouldn't change their IP schema for that. you would have to require at least one public IP for your LAN interface if you want your PIX to be a end point of VPN. You can't get rid of PAT/NAT either way unless you have very small internal LAN.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.