CISCO PIX 501 - Static Routes and Dynamic Internet IP address

I have created Static Routes on PIX 501 with a static Internet connection but never when I the internet connection is Dynamic DSL.  I would like to be able to create static routes so that I can access various machines from outside of the LAN.  I use TZO which provides me with a FQDN that points to my dynamic IP address.  The TZO application checks my IP address for changes every 2 minutes.

Below is my current network setup.

DSL Modem         -  Outside Address - Dynamic
    |                      -  Inside Address  -
Unmanaged Switch
Terminal Server  -  Inside Address -  Port 3389

I would like to install a PIX 501 between the DSL Modem and Unmanaged Switch.  Do I simply

1)  Allow my DSL modem act as a bridge a forward all requests to the PIX 501?  

2)  Set the inside IP address of the PIX 501 to

3)  Create the static route for my Terminal Server as follows:
access-list InBound permit tcp any host eq 3389
static (inside,outside) tcp 3389 3389 netmask 0 0

Thanks for the help.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If your DSL modem is a Router it will provide the Pix with an internal address, (192.x.x.x) which becomes the Pix's WAN interface IP address, then you just setup your NAT/routes accordingly.

So in a convoluted way exactly what you said above =)

- SaP -

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
)  Allow my DSL modem act as a bridge a forward all requests to the PIX 501?  
Or a router, if you choose a new address range for the inside.

2)  Set the inside IP address of the PIX 501 to
You could change the inside address to  another network.  That might be less confusing to the pix.
For instance.
PIX outside int: 192.168.254.(whatever 1 thru 253)
Pix inside: (makeupsomething new
Workstations:,3,4,etc and DG=

3)  Create the static route for my Terminal Server as follows:
access-list InBound permit tcp any host eq 3389
static (inside,outside) tcp 3389 3389 netmask 0 0
That is assuming your DSL modem can nat for you.

Thanks for the help.
Yes a minor problem is that your translating your IP address on the DSL router via NAT already. You do not need the PIX. Just setup the DSL router to port forward the 3389 port to your internal address and your done.

If you want to actually use the 501 - you will need to stop NAT on the DSL router, and request from your ISP an additional IP address. This means a static IP address range will be given, and you need atleast 2 usable.
1 for the DSL modem
1 for the external NIC on the PIX
The DSL modem then becomes a "permiter" router
Then you just use PAT/NAT on the pix for internal traffic going out.
Then you can use your access-list and static statment with an external address going to you internal address making WAY more sense to you.

Otherwise you are looking at NATed NAT statement and your ARP requests are going to be going nuts, and you will have to reboot the DSL router and the PIX once a week.
Hi Rob,

You have got your assumptions correct as indicated above.

1) If you don't bridge your modem you have to create subnet inbetween your DSL modem.  This can cause you problems in the future e.g. forwarding esp, and ipsec traffic (for future remote access vpn) and is just ugly and messy.  Bridging the modem is fairly simple to do and using the 501 to setup the PPPOE/PPPOA connection to your provider is fairly simple.   I have included a guide by cisco to configure PPPOE.

2) Yes give it an address on the internal LAN.

3) Your rule would be fine if you were NOT bridging.  I will assume you are going to bridge (preffered method) as indicated above).

So your rule will look like:
access-list InBound permit tcp any interface outside eq 3389
static (inside,outside) tcp interface 3389 3389 netmask 0 0

Other info:
From a security standpoint this is NOT a very secure method of being able to connect to your Terminal Server remotely.  I would not personally advise to use this method as it is very open e.g. anyone can connect on the internet to your TS server (big security hole).  Without going into detail about why I would recommend you spend a few more minutes and configure a "Remote Access VPN".
This link will show you plenty of example of how to accomplish this.  It will also provide you with logging if you use a radius server for verification.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.