Cisco 1721 router with a pix firewall config

Posted on 2006-03-30
Last Modified: 2013-11-29
We are installing a new T1.5 internet protocal HDLC (static). We have a cisco 1721 router with a seperate pix firewall. what is the config process and NAT assignments to have these two devices working properly.

What I am not sure of is do we put in a default gateway on the Pix to point to the WAN IP of the 1721 or the WAN IP from carrier. I know it cannot be to the LAN IP of the 1721 because the Pix will not send a packet back on the same interface it’s received.

Thanks for your help,

Question by:ServicePointUSA
    LVL 20

    Expert Comment

    hi Mike,  you'll need to be a lot more specific in your requirements, so we can help you.  A simple ASCII net diagram will also help.
    >I know it cannot be to the LAN IP of the 1721 because the Pix will not send a packet back on the same interface...
      So you're *not* going to have the following typical setup??:  Internet <-> 1721 <-> PIX <-> inside LAN(s)
      Are there more than 1 internal LANs present? Please clarify the physical layout.

    Important info to provide:
    - This is a "point-to-point" T1 using HDLC encapsulation? (ISP has a Cisco router on the other end of this circuit?) And I assume the T1 connection will be plugged directly into a T1 card already installed in the router?
    - Is the PIX's outside interface going to be directly connected to the LAN interface of the 1721?
    - Is the LAN interface of the 1721 &/or the PIX outside interface going to have a public IP directly configured on it?
    - Do you have any public servers that need to be accessible from the outside? ie, web, email, etc servers? If so, what are the LAN IPs of these servers going to be? And if they're going to be accessed by different IPs, post the IPs masked like so: x.x.x.81
    - If a public email server is present, is it Exchange? If so, will you be using OWA? If OWA, will it be normal http or secure https?
    - Please post "sanitized" public IPs that will be used in this config, but with correct subnet masks.  Example:
      ISP gateway: x.x.x.81
      WAN IP of router: x.x.x.82 with subnet mask
      LAN IP of router: x.x.x.202 with subnet mask
    (But *don't* mask out private LAN IPs in these ranges: 10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x)
    - What model of PIX?
    - Is the PIX going to be giving out DHCP, or do you have an internal server for this already?
    - Please post current "show run" output from both router & PIX (any public IPs "sanitzed" as above), & indicate which interface on the 1721 will be the LAN interface.
    - Please provide any other important info you can think of.


    Author Comment

    Yes its point to point. T1 card in router csu/dsu. PIX will be connected to router lan. 1721 will have a public ip. Yes public
    servers need to be accessed. no email server. model of pix is a 501. pix will not be giving out dhcp. Cannot provide show run because we dont have it installed yet. no public ip available either. Can we substituite ip's for x.x.x.x.
    can you lead us in the right direction with this info.

    Thanks Mike.
    LVL 20

    Expert Comment

    >1721 will have a public ip
      Public IP only on outside interface? No public IP on LAN interface & no public IP on PIX outside interface? ie, No 2nd public subnet for use by PIX, router LAN interface & public servers, & NAT being to be done on router?  Not a recommended setup.  Believe me, it's much better & easier to have public IPs for: router LAN IP, PIX outside IP; & public IPs for each server.
       Just be aware, if you have more than one server of the same type - ie, 2 web servers to be accessed by the same public IP & both via tcp port 80 - this can't be done with a single public IP, not with the router or the PIX.

    >Yes public servers need to be accessed.
       Ok, this is still very vague, but I could provide an example, & some URLs as guides.
    >Can we substituite ip's for x.x.x.x
       Yes, but it's much easier to follow if we know the last number of the IP. And you don't lose any privacy/security this way.

    Are you familiar with accessing the CLI interface on either the router or the PIX??


    Author Comment

    The LAN side for the 1721 and Pix were going to be 192.168.6.x and then we'll have a public IP on the serial interface of the 1721. On the Pix there will also be a public IP on the WAN interface. We will have a block of 6 public IPs, so most clients will go out on the public IP of the Pix, but in the future there will be a handful of servers that will be NAT'd through the Pix so will translate to a public IP. Then inbound we might have an FTP server that will have restricted accesss by IP. We will not be doing port forwarding, so if we have another server that will host a different FTP site then it will go strictly by the IP address. We are vaguely familiar with the CLI. The main question here is the routing. If we have a client PC that GW should be set to that of the 1721, so say it looks like this.

    Client Internal IP -
    GW - - 1721
    DNS - Will use one's assigned from provider

    Client requests access to HTTP port 80 --> Cisco 1721 now on the 1721 do we have a route point to internal IP of pix --> Pix 501 inspects traffic and then on the Pix do we have a static route to providers GW interface and then the client will be known on the Internet through the Public IP of the Pix 501?

    Then on inbound what we want is this.

    Remote client requests ftp to x.x.x.x (this being one of our public IP's that has a NAT translation in Pix to that hits the 1721 on the WAN ineterface it passes through to the Pix on the WAN side is inspected and finds a match for the rule allowing FTP from that client to the FTP server in question, and then passes it to the server.
    LVL 20

    Accepted Solution

    >The LAN side for the 1721 and Pix were going to be 192.168.6.x and then we'll have a public IP on
    > the serial interface of the 1721. On the Pix there will also be a public IP on the WAN interface.
    If you were intending something like this:
      router LAN IP: 192.168.6.x
      PIX WAN IP: <some public IP>
      PIX LAN IP: 192.168.6.y
    ...then this isn't possible.  The IP ranges on the _LAN_ side of both devices (inside subnets) *must* be different.

    Since you said you'll have a block of 6 public IPs, below is a general example of how you'll want to set this up.  Since the info provided above is still pretty vague, I'll be making the following assumptions for the purpose of the example:
      Router WAN IP: subnet mask:
      Router default gateway at ISP:
      Router WAN interface: Serial0
      Public block of 6 IPs: subnet mask: (usable IPs:
      Router LAN (inside) IP:
      Router LAN interface: FastEthernet0
      PIX WAN IP:
      LAN behind PIX: 192.168.6.x
      PIX LAN IP:
      default gateway for PCs behind PIX:
      web server behind PIX: (accessible from Internet via public IP:
      web server behind PIX: (accessible from Internet via public IP:

      On 1721:
    interface FastEthernet0
    ip address
    no shut

    interface Serial0
    ip address
    no shut

    ip route
    copy run start   <- saves config to the router

      On PIX:
    access-list inbound permit icmp any any echo-reply   <- allow replies for outbound pings
    access-list inbound permit tcp any host eq 80  <- allow access to web server
    access-list inbound permit tcp any host eq 21  <- allow access to FTP server
    access-group inbound in interface outside
    ip address outside
    ip address inside
    nat (inside) 1 0 0
    global (outside) 1 interface
    route outside
    clear xlate
    static (inside,outside)
    static (inside,outside)
    write mem     <- saves config to the PIX

    Once again, the above is a basic general example only, based on the info provided. You'll of course need to substitute IPs & actual interface names as necessary to match what you'll have.  You'll need to connect the router LAN interface (FastEthernet0) to the PIX outside interface with a crossover Ethernet cable, not a regular Ethernet cable.

      Some other general references:
      PIX config guide - PIX software version 6.3:
      PIX config guide - PIX version 7.x (PIX models 515 or above only):


    Author Comment

    Thanks for the clarification. Now one last question on physical cabling of this setup. The T1 connection will go into the serial interface of the 1721, now should I put a switch where the fastethernet can connect to and then on the Pix plug the WAN interface into the same switch? Then I have a core switch where my users are on that I assume the LAN side of the Pix can connect into?
    LVL 20

    Expert Comment

    You don't need a switch between the PIX & 1721... I wouldn't, unless you have a specific reason to do so.  Adding a switch is adding another potential point of failure.  Just connect a Cat5 crossover cable between the 1721 & the PIX.


    Author Comment

    That's what I first envisioned, and that's what we will now do. Thank you for all of your suggestions!

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    ISP 1000 - Netscreen 2 24
    OSPF Routing Problems 9 49
    ASA Shunning internal IP 10 12
    My smart TV isn't so smart 14 23
    Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
    Let’s list some of the technologies that enable smooth teleworking. 
    Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now