CISCO PIX 501 - Static Routes and Dynamic Internet IP address

Posted on 2006-03-21
Last Modified: 2008-01-09
I have created Static Routes on PIX 501 with a static Internet connection but never when I the internet connection is Dynamic DSL.  I would like to be able to create static routes so that I can access various machines from outside of the LAN.  I use TZO which provides me with a FQDN that points to my dynamic IP address.  The TZO application checks my IP address for changes every 2 minutes.

Below is my current network setup.

DSL Modem         -  Outside Address - Dynamic
    |                      -  Inside Address  -
Unmanaged Switch
Terminal Server  -  Inside Address -  Port 3389

I would like to install a PIX 501 between the DSL Modem and Unmanaged Switch.  Do I simply

1)  Allow my DSL modem act as a bridge a forward all requests to the PIX 501?  

2)  Set the inside IP address of the PIX 501 to

3)  Create the static route for my Terminal Server as follows:
access-list InBound permit tcp any host eq 3389
static (inside,outside) tcp 3389 3389 netmask 0 0

Thanks for the help.

Question by:robertjwilsoncpa
    LVL 10

    Accepted Solution

    If your DSL modem is a Router it will provide the Pix with an internal address, (192.x.x.x) which becomes the Pix's WAN interface IP address, then you just setup your NAT/routes accordingly.

    So in a convoluted way exactly what you said above =)

    - SaP -

    LVL 4

    Assisted Solution

    )  Allow my DSL modem act as a bridge a forward all requests to the PIX 501?  
    Or a router, if you choose a new address range for the inside.

    2)  Set the inside IP address of the PIX 501 to
    You could change the inside address to  another network.  That might be less confusing to the pix.
    For instance.
     DSLIN INt:
    PIX outside int: 192.168.254.(whatever 1 thru 253)
    Pix inside: (makeupsomething new
    Workstations:,3,4,etc and DG=

    3)  Create the static route for my Terminal Server as follows:
    access-list InBound permit tcp any host eq 3389
    static (inside,outside) tcp 3389 3389 netmask 0 0
    That is assuming your DSL modem can nat for you.

    Thanks for the help.
    LVL 1

    Assisted Solution

    Yes a minor problem is that your translating your IP address on the DSL router via NAT already. You do not need the PIX. Just setup the DSL router to port forward the 3389 port to your internal address and your done.

    If you want to actually use the 501 - you will need to stop NAT on the DSL router, and request from your ISP an additional IP address. This means a static IP address range will be given, and you need atleast 2 usable.
    1 for the DSL modem
    1 for the external NIC on the PIX
    The DSL modem then becomes a "permiter" router
    Then you just use PAT/NAT on the pix for internal traffic going out.
    Then you can use your access-list and static statment with an external address going to you internal address making WAY more sense to you.

    Otherwise you are looking at NATed NAT statement and your ARP requests are going to be going nuts, and you will have to reboot the DSL router and the PIX once a week.
    LVL 10

    Assisted Solution

    Hi Rob,

    You have got your assumptions correct as indicated above.

    1) If you don't bridge your modem you have to create subnet inbetween your DSL modem.  This can cause you problems in the future e.g. forwarding esp, and ipsec traffic (for future remote access vpn) and is just ugly and messy.  Bridging the modem is fairly simple to do and using the 501 to setup the PPPOE/PPPOA connection to your provider is fairly simple.   I have included a guide by cisco to configure PPPOE.

    2) Yes give it an address on the internal LAN.

    3) Your rule would be fine if you were NOT bridging.  I will assume you are going to bridge (preffered method) as indicated above).

    So your rule will look like:
    access-list InBound permit tcp any interface outside eq 3389
    static (inside,outside) tcp interface 3389 3389 netmask 0 0

    Other info:
    From a security standpoint this is NOT a very secure method of being able to connect to your Terminal Server remotely.  I would not personally advise to use this method as it is very open e.g. anyone can connect on the internet to your TS server (big security hole).  Without going into detail about why I would recommend you spend a few more minutes and configure a "Remote Access VPN".
    This link will show you plenty of example of how to accomplish this.  It will also provide you with logging if you use a radius server for verification.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Join & Write a Comment

    Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now