Verification request of config of PIX Catalyst logical interface

Unanswered Question
Mar 9th, 2007
User Badges:


I have a need to use one interface on my PIX 525 (version 7.2(2)) as a logical interface so that I can use NAT to reference local non-routable DMZ IP addresses into ospf advertised IP addresses. I?ve connected PIX ethernet 4 into my Cisco 6500 switch slot 12 port 43. I?ve enabled trunking on 12/43 and 12/43 resides in my management domain (VLAN1). My relevant switch and FW config is below.

Issue: Not working: Host attempts to RDP to NAT address but fails. I would like to have confirmation that this config is correct from the community.

Catalyst Switch

Port status is:

12/43 PIX-525-ETH4 connected trunk full 100 10/100/1000

Trunk config is:

clear trunk 12/43 2-239,241-1005,1025-4094

set trunk 12/43 on dot1q 1,240

Trunk status is:

12/43 on dot1q trunking 1

Firewall interface config is:

interface Ethernet4

description Base interface for DMZ translations

speed 100

duplex full

no nameif

security-level 100

no ip address


interface Ethernet4.240

vlan 240

nameif VLAN240

security-level 75

ip address

ACL config is:

access-list VLAN240 remark NAT control into VLAN240 from inside

access-list VLAN240 extended permit ip host

access-list VLAN240_IN remark Regulate access from VLAN240 into inside

access-list VLAN240_IN extended permit tcp host eq 3389 host

access-list VLAN240_IN extended deny ip any any

NAT config is:

global (outside) 30 X.X.X.X netmask

global (XXXXXX) 3 interface

global (XXXXXX) 20 interface

global (VLAN240) 50 interface

nat (inside) 0 access-list NONAT

nat (inside) 3 access-list XXX

nat (inside) 20 access-list XXXXXX

nat (inside) 30 access-list WWW

nat (inside) 50 access-list VLAN240

nat (XXXXXX) 0 access-list NONAT-VPN

static (inside,VLAN240) netmask

access-group VLAN240_IN in interface VLAN240

return route does exist.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Mon, 03/12/2007 - 06:23
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Try changing your static statement from

static (inside,VLAN240) netmask


static (VLAN240,inside) netmask

Also i'm a little unclear what your access-list VLAN240_IN is doing. At the moment it says

allow the host on port 3389 to talk to the pix VLAN240 interface on any port.

This doesn't seem to make much sense. Perhaps i have misunderstood, could you elaborate.




This Discussion