We help IT Professionals succeed at work.

Cisco 1721 router with a pix firewall config

Medium Priority
Last Modified: 2013-11-29
We are installing a new T1.5 internet protocal HDLC (static). We have a cisco 1721 router with a seperate pix firewall. what is the config process and NAT assignments to have these two devices working properly.

What I am not sure of is do we put in a default gateway on the Pix to point to the WAN IP of the 1721 or the WAN IP from carrier. I know it cannot be to the LAN IP of the 1721 because the Pix will not send a packet back on the same interface it’s received.

Thanks for your help,

Watch Question

hi Mike,  you'll need to be a lot more specific in your requirements, so we can help you.  A simple ASCII net diagram will also help.
>I know it cannot be to the LAN IP of the 1721 because the Pix will not send a packet back on the same interface...
  So you're *not* going to have the following typical setup??:  Internet <-> 1721 <-> PIX <-> inside LAN(s)
  Are there more than 1 internal LANs present? Please clarify the physical layout.

Important info to provide:
- This is a "point-to-point" T1 using HDLC encapsulation? (ISP has a Cisco router on the other end of this circuit?) And I assume the T1 connection will be plugged directly into a T1 card already installed in the router?
- Is the PIX's outside interface going to be directly connected to the LAN interface of the 1721?
- Is the LAN interface of the 1721 &/or the PIX outside interface going to have a public IP directly configured on it?
- Do you have any public servers that need to be accessible from the outside? ie, web, email, etc servers? If so, what are the LAN IPs of these servers going to be? And if they're going to be accessed by different IPs, post the IPs masked like so: x.x.x.81
- If a public email server is present, is it Exchange? If so, will you be using OWA? If OWA, will it be normal http or secure https?
- Please post "sanitized" public IPs that will be used in this config, but with correct subnet masks.  Example:
  ISP gateway: x.x.x.81
  WAN IP of router: x.x.x.82 with subnet mask
  LAN IP of router: x.x.x.202 with subnet mask
(But *don't* mask out private LAN IPs in these ranges: 10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x)
- What model of PIX?
- Is the PIX going to be giving out DHCP, or do you have an internal server for this already?
- Please post current "show run" output from both router & PIX (any public IPs "sanitzed" as above), & indicate which interface on the 1721 will be the LAN interface.
- Please provide any other important info you can think of.



Yes its point to point. T1 card in router csu/dsu. PIX will be connected to router lan. 1721 will have a public ip. Yes public
servers need to be accessed. no email server. model of pix is a 501. pix will not be giving out dhcp. Cannot provide show run because we dont have it installed yet. no public ip available either. Can we substituite ip's for x.x.x.x.
can you lead us in the right direction with this info.

Thanks Mike.
>1721 will have a public ip
  Public IP only on outside interface? No public IP on LAN interface & no public IP on PIX outside interface? ie, No 2nd public subnet for use by PIX, router LAN interface & public servers, & NAT being to be done on router?  Not a recommended setup.  Believe me, it's much better & easier to have public IPs for: router LAN IP, PIX outside IP; & public IPs for each server.
   Just be aware, if you have more than one server of the same type - ie, 2 web servers to be accessed by the same public IP & both via tcp port 80 - this can't be done with a single public IP, not with the router or the PIX.

>Yes public servers need to be accessed.
   Ok, this is still very vague, but I could provide an example, & some URLs as guides.
>Can we substituite ip's for x.x.x.x
   Yes, but it's much easier to follow if we know the last number of the IP. And you don't lose any privacy/security this way.

Are you familiar with accessing the CLI interface on either the router or the PIX??



The LAN side for the 1721 and Pix were going to be 192.168.6.x and then we'll have a public IP on the serial interface of the 1721. On the Pix there will also be a public IP on the WAN interface. We will have a block of 6 public IPs, so most clients will go out on the public IP of the Pix, but in the future there will be a handful of servers that will be NAT'd through the Pix so will translate to a public IP. Then inbound we might have an FTP server that will have restricted accesss by IP. We will not be doing port forwarding, so if we have another server that will host a different FTP site then it will go strictly by the IP address. We are vaguely familiar with the CLI. The main question here is the routing. If we have a client PC that GW should be set to that of the 1721, so say it looks like this.

Client Internal IP -
GW - - 1721
DNS - Will use one's assigned from provider

Client requests access to HTTP port 80 --> Cisco 1721 now on the 1721 do we have a route point to internal IP of pix --> Pix 501 inspects traffic and then on the Pix do we have a static route to providers GW interface and then the client will be known on the Internet through the Public IP of the Pix 501?

Then on inbound what we want is this.

Remote client requests ftp to x.x.x.x (this being one of our public IP's that has a NAT translation in Pix to that hits the 1721 on the WAN ineterface it passes through to the Pix on the WAN side is inspected and finds a match for the rule allowing FTP from that client to the FTP server in question, and then passes it to the server.
>The LAN side for the 1721 and Pix were going to be 192.168.6.x and then we'll have a public IP on
> the serial interface of the 1721. On the Pix there will also be a public IP on the WAN interface.
If you were intending something like this:
  router LAN IP: 192.168.6.x
  PIX WAN IP: <some public IP>
  PIX LAN IP: 192.168.6.y
...then this isn't possible.  The IP ranges on the _LAN_ side of both devices (inside subnets) *must* be different.

Since you said you'll have a block of 6 public IPs, below is a general example of how you'll want to set this up.  Since the info provided above is still pretty vague, I'll be making the following assumptions for the purpose of the example:
  Router WAN IP: subnet mask:
  Router default gateway at ISP:
  Router WAN interface: Serial0
  Public block of 6 IPs: subnet mask: (usable IPs:
  Router LAN (inside) IP:
  Router LAN interface: FastEthernet0
  LAN behind PIX: 192.168.6.x
  default gateway for PCs behind PIX:
  web server behind PIX: (accessible from Internet via public IP:
  web server behind PIX: (accessible from Internet via public IP:

  On 1721:
interface FastEthernet0
ip address
no shut

interface Serial0
ip address
no shut

ip route
copy run start   <- saves config to the router

  On PIX:
access-list inbound permit icmp any any echo-reply   <- allow replies for outbound pings
access-list inbound permit tcp any host eq 80  <- allow access to web server
access-list inbound permit tcp any host eq 21  <- allow access to FTP server
access-group inbound in interface outside
ip address outside
ip address inside
nat (inside) 1 0 0
global (outside) 1 interface
route outside
clear xlate
static (inside,outside)
static (inside,outside)
write mem     <- saves config to the PIX

Once again, the above is a basic general example only, based on the info provided. You'll of course need to substitute IPs & actual interface names as necessary to match what you'll have.  You'll need to connect the router LAN interface (FastEthernet0) to the PIX outside interface with a crossover Ethernet cable, not a regular Ethernet cable.

  Some other general references:
  PIX config guide - PIX software version 6.3:
  PIX config guide - PIX version 7.x (PIX models 515 or above only):


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


Thanks for the clarification. Now one last question on physical cabling of this setup. The T1 connection will go into the serial interface of the 1721, now should I put a switch where the fastethernet can connect to and then on the Pix plug the WAN interface into the same switch? Then I have a core switch where my users are on that I assume the LAN side of the Pix can connect into?
You don't need a switch between the PIX & 1721... I wouldn't, unless you have a specific reason to do so.  Adding a switch is adding another potential point of failure.  Just connect a Cat5 crossover cable between the 1721 & the PIX.



That's what I first envisioned, and that's what we will now do. Thank you for all of your suggestions!
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.