We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


CISCO PIX 501 - Static Routes and Dynamic Internet IP address

Medium Priority
Last Modified: 2008-01-09
I have created Static Routes on PIX 501 with a static Internet connection but never when I the internet connection is Dynamic DSL.  I would like to be able to create static routes so that I can access various machines from outside of the LAN.  I use TZO which provides me with a FQDN that points to my dynamic IP address.  The TZO application checks my IP address for changes every 2 minutes.

Below is my current network setup.

DSL Modem         -  Outside Address - Dynamic
    |                      -  Inside Address  -
Unmanaged Switch
Terminal Server  -  Inside Address -  Port 3389

I would like to install a PIX 501 between the DSL Modem and Unmanaged Switch.  Do I simply

1)  Allow my DSL modem act as a bridge a forward all requests to the PIX 501?  

2)  Set the inside IP address of the PIX 501 to

3)  Create the static route for my Terminal Server as follows:
access-list InBound permit tcp any host eq 3389
static (inside,outside) tcp 3389 3389 netmask 0 0

Thanks for the help.

Watch Question

If your DSL modem is a Router it will provide the Pix with an internal address, (192.x.x.x) which becomes the Pix's WAN interface IP address, then you just setup your NAT/routes accordingly.

So in a convoluted way exactly what you said above =)

- SaP -

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
)  Allow my DSL modem act as a bridge a forward all requests to the PIX 501?  
Or a router, if you choose a new address range for the inside.

2)  Set the inside IP address of the PIX 501 to
You could change the inside address to  another network.  That might be less confusing to the pix.
For instance.
PIX outside int: 192.168.254.(whatever 1 thru 253)
Pix inside: (makeupsomething new
Workstations:,3,4,etc and DG=

3)  Create the static route for my Terminal Server as follows:
access-list InBound permit tcp any host eq 3389
static (inside,outside) tcp 3389 3389 netmask 0 0
That is assuming your DSL modem can nat for you.

Thanks for the help.
Yes a minor problem is that your translating your IP address on the DSL router via NAT already. You do not need the PIX. Just setup the DSL router to port forward the 3389 port to your internal address and your done.

If you want to actually use the 501 - you will need to stop NAT on the DSL router, and request from your ISP an additional IP address. This means a static IP address range will be given, and you need atleast 2 usable.
1 for the DSL modem
1 for the external NIC on the PIX
The DSL modem then becomes a "permiter" router
Then you just use PAT/NAT on the pix for internal traffic going out.
Then you can use your access-list and static statment with an external address going to you internal address making WAY more sense to you.

Otherwise you are looking at NATed NAT statement and your ARP requests are going to be going nuts, and you will have to reboot the DSL router and the PIX once a week.
Hi Rob,

You have got your assumptions correct as indicated above.

1) If you don't bridge your modem you have to create subnet inbetween your DSL modem.  This can cause you problems in the future e.g. forwarding esp, and ipsec traffic (for future remote access vpn) and is just ugly and messy.  Bridging the modem is fairly simple to do and using the 501 to setup the PPPOE/PPPOA connection to your provider is fairly simple.   I have included a guide by cisco to configure PPPOE.

2) Yes give it an address on the internal LAN.

3) Your rule would be fine if you were NOT bridging.  I will assume you are going to bridge (preffered method) as indicated above).

So your rule will look like:
access-list InBound permit tcp any interface outside eq 3389
static (inside,outside) tcp interface 3389 3389 netmask 0 0

Other info:
From a security standpoint this is NOT a very secure method of being able to connect to your Terminal Server remotely.  I would not personally advise to use this method as it is very open e.g. anyone can connect on the internet to your TS server (big security hole).  Without going into detail about why I would recommend you spend a few more minutes and configure a "Remote Access VPN".
This link will show you plenty of example of how to accomplish this.  It will also provide you with logging if you use a radius server for verification.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.