JCRussell
asked on
Cisco 1605 to Cisco Pix with only one IP address
I have a customer who has a T1 coming into a 1605 with only one Routable IP address. The current config has only the 1605 with a public address on Serial0 and a 10.1.1.1 on Ethernet0. Serial0 is the NAT address. I want to put a PIX behind the 1605 and remove NAT (let the PIX handle the NAT). I have done this with 2 routed addresses, but not with only one. Is this possible?
Again, I want to end up with T1<->1605<->PIX<->Internal
Again, I want to end up with T1<->1605<->PIX<->Internal
Yes, it is possible with only one address. I have done this however I had a Tasman where my 2 T1's connected to. I have a Public Address on my PIX and then used a 10.0.0x subnet between the PIX and a 3200 Series router. It should work with the 1605 first and the PIX behind it though. Just make sure that the PIX routes all traffic to the 1605, and that you add a router for your local subnet on the 1605 so the traffic can pass though the PIX back to the local subnet. I have recenbtly doen somethign similar with a dynaic address on a DSL router with a Cisco router behind it. The most important thing to remember if the device closest to your local subnet needs to use the inside ip address of the outside device as its default gateway and the outside device(1605) needs to route traffic to the local subnet to the ouside ip address of the inside device(pix). I would use a separate subnet between the devices to help avoid any confusion.
ASKER
The T1 is to the internet so the only real IP address we have is bound to the T1-WIC in the 1605. Right now the 1605's e0 is the default gateway for all the clients and it runs access-lists and NAT so they need a firewall still. But further than that they want to use the VPN capabilities. Since they need to use the VPN, we can't nat and a reserved class IP won't route. I guess I could use ip unnumbered and create static mapping, but then we are back to NAT or PAT, which in my experience does not work efficiently. I was just wondering if there was any way to do this without having to go through the hassle of provisioning new IP's.
Do you have a range of IP Addresses that you can use, or just the one. We did VPN with our PIX but it was in front of the router. You should be able to forward to traffic from the router to the PIX. You may also be able to put the T1-WIC in the PIX. In my opinion it's better to have your firewall in front of your router, i'm sure others will disagree with this but thats how I do it. Anyway, We had a range of IP Addresses but we only used 1 public address on our PIX, another public on the inside DMZ interface on the PIX, and a private IP address on the other interface on the PIX. The router had private addresses on both of it's interfaces as well.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Agreed with rburns50, ISP wouldn't change their IP schema for that. you would have to require at least one public IP for your LAN interface if you want your PIX to be a end point of VPN. You can't get rid of PAT/NAT either way unless you have very small internal LAN.