Cisco 1605 to Cisco Pix with only one IP address

Posted on 2005-04-21
Last Modified: 2010-04-10
I have a customer who has a T1 coming into a 1605 with only one Routable IP address.  The current config has only the 1605 with a public address on Serial0 and a on Ethernet0.  Serial0 is the NAT address.  I want to put a PIX behind the 1605 and remove NAT (let the PIX handle the NAT).  I have done this with 2 routed addresses, but not with only one.  Is this possible?
Again, I want to end up with T1<->1605<->PIX<->Internal network.
Question by:JCRussell
    LVL 9

    Expert Comment

    Yes, it is possible with only one address.  I have done this however I had a Tasman where my 2 T1's connected to.  I have a Public Address on my PIX and then used a 10.0.0x subnet between the PIX and a 3200 Series router.  It should work with the 1605 first and the PIX behind it though.  Just make sure that the PIX routes all traffic to the 1605, and that you add a router for your local subnet on the 1605 so the traffic can pass though the PIX back to the local subnet.  I have recenbtly doen somethign similar with a dynaic address on a DSL router with a Cisco router behind it.  The most important thing to remember if the device closest to your local subnet needs to use the inside ip address of the outside device as its default gateway and the outside device(1605) needs to route traffic to the local subnet to the ouside ip address of the inside device(pix).  I would use a separate subnet between the devices to help avoid any confusion.  
    LVL 1

    Author Comment

    The T1 is to the internet so the only real IP address we have is bound to the T1-WIC in the 1605.  Right now the 1605's e0 is the default gateway for all the clients and it runs access-lists and NAT so they need a firewall still.  But further than that they want to use the VPN capabilities.  Since they need to use the VPN, we can't nat and a reserved class IP won't route.  I guess I could use ip unnumbered and create static mapping, but then we are back to NAT or PAT, which in my experience does not work efficiently.  I was just wondering if there was any way to do this without having to go through the hassle of provisioning new IP's.
    LVL 9

    Expert Comment

    Do you have a range of IP Addresses that you can use, or just the one.  We did VPN with our PIX but it was in front of the router.  You should be able to forward to traffic from the router to the PIX.  You may also be able to put the T1-WIC in the PIX.  In my opinion it's better to have your firewall in front of your router, i'm sure others will disagree with this but thats how I do it.  Anyway, We had a range of IP Addresses but we only used 1 public address on our PIX, another public on the inside DMZ interface on the PIX, and a private IP address on the other interface on the PIX.  The router had private addresses on both of it's interfaces as well.  
    LVL 4

    Accepted Solution

    I don't believe that this can be done without your ISP changing their environment. They could change the IP's on the endpoints of the T1 to be a private /30 subnet (i.e. and .2, with mask They would then route your original public IP to the new private IP at your end of the T1 (say it's, which you would configure on the T1-WIC card in the 1605. Then you would need to add a route to your 1605 router for the public IP, using e0 as the gateway, and put the public IP on the PIX port facing the 1605.

    Sad to say though that most ISP's won't alter their routing schemes in this way...too much hassle for them. Technically doable, but socially maybe not.
    LVL 6

    Expert Comment

    Agreed with rburns50, ISP wouldn't change their IP schema for that. you would have to require at least one public IP for your LAN interface if you want your PIX to be a end point of VPN. You can't get rid of PAT/NAT either way unless you have very small internal LAN.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
    Let’s list some of the technologies that enable smooth teleworking. 
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now