Cisco PIX question

Posted on 2006-05-31
Last Modified: 2010-03-19
Good Morning,
   I am helping a local ISP (Wireless Provider) with some issues they are having.  Here is the current scenario that they brought to me yesterday.

   They have a Cisco 501 PIX that is configured with their Public IP for a Segment of their wireless canopy.  They then have a static IP address assigned to a customers PIX 501 that connects to the inside interface of the PIX.

    What they would like to do is to have this customer also have a public IP Address on the Outside Interface on their own PIX Unit.

ISP PIX Int 0 (Outside) Public IP - ISP PIX Int 1 (Inside) Private IP - Clients PIX Int 0 (Outside) Wants a Public Address - Clients PIX Int 1 (inside) their own Network of Private IPs.

They want to have a Public IP routed through the ISP PIX and then do NATing to their FTP and Mail server on the Clients Private Network.

If it was a router it is possible I am not sure on a PIX.

Question by:tolsonkra
    LVL 79

    Accepted Solution

    The only thing that they can do is have a 1-1 static on the public-facing PIX
     static (inside,outside) <public IP> <private IP of Client PIX> netmask
    access-list outside_in permit ip any host <public IP>
    access-group outside_in in interface outside

    The Client pix can then nat ftp and mail, but to the private IP of the interface:
    static (inside,outside) tcp interface smtp <private mail server ip> smtp netmask
    static (inside,outside) tcp interface ftp <private mail server ip> ftp netmask
    static (inside,outside) tcp interface ftp-data <private mail server ip> ftp-data netmask
    <approriate acls, applied, of course>
    Anything hitting the public IP will be forwarded to the client PIX which will then be forwarded to the server(s)
    LVL 3

    Author Comment


    I kind of thought that it would need to be this way.  I had most of it right.  I will let you know how it works.

    LVL 3

    Author Comment

      This config worked great.  Thanks.

    LVL 79

    Expert Comment

    Glad to hear it!

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
    Let’s list some of the technologies that enable smooth teleworking. 
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now