Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Please check my configured PIX 506e.

Unanswered Question
Jul 22nd, 2010
User Badges:


Above is an easy diagram for my network.
Background of my work is

1. Replace firewall from Watchguard III 700 to spare PIX 506e.

2. I have 8 public ip address from ISP. Just only one ip address that registered PTR. So I have to used that for PAT and my mail server.

3. I have to set up port forward from outside to inside server; Exchange 2007 server and Openvpn server.

4. I have to setup firewall to route ip-pbx server to some ip-pbx devices.

I am a firewall novice.I just read from Cisco website and another websites.

Here is my configuration command. Please take a look and give me some comment.

1. nameif etherne0 outside security0

2. nameif ethernet1 inside security100

3. interface ethernet0 100full

4. interface ethernet1 100full

5. ip address outside

6. ip address inside

NAT+PAT configure
7. nat (inside) 1

8 global (outside) 1

9.   access-list OUTBOUND permit tcp any eq www

10. access-list OUTBOUND deny tcp any any eq www

11. access-list OUTBOUND permit ip any any

12 access-group OUTBOUND in interface inside

Port forwarding from outside to inside

13. static (inside,outside) tcp smtp  smtp netmask
14. static (inside,outside) tcp 443 443 netmask

15. static (inside,outside) udp 1194 1194 netmask

16. access-list INBOUND permit tcp any host netmask eq smtp

17. access-list INBOUND permit tcp any host netmask  eq 443

18. access-list INBOUND permit udp any host netmask  eq 1194

19. access-group INBOUND in interface outside ----------------------Is it right?

Routes to Default gateway

20. route outside

Routes for some ip-pbx
21. route inside

22. route inside

23. route inside

24. route inside

25. route inside

That's all. I don't try it in the real environment yet.

My problem are 16 -19. I can not apply these access lits.

Another problem are 22. and 24, PIX can not route same ip address range to another.

Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Thu, 07/22/2010 - 02:42
User Badges:
  • Cisco Employee,

A few suggestions to look into:

- Your point 8 and point 13 & 14 are using the same external ip address of which is overlapping. I would suggest that for point 8, you either use another spare ip address, or alternatively use the outside interface ip address as follows:

global (outside) 1 interface

- For point 16, 17 and 18, you would need to configure ACL to point to the public ip address instead of the private ip address as follows:

access-list INBOUND permit tcp any host eq smtp

access-list INBOUND permit tcp any host  eq 443

access-list INBOUND permit udp any host  eq 1194

- Point 24 adn 25 are incorrect. You won't be able to route traffic towards an ip address which is not in the same subnet as your inside interface. Not too sure what you are trying to achieve. Point 22 and 23 are already correct. If you would like to further route the and subnet further, that needs to be configured on the downstream router ( and routers).

- Lastly the ip address on the diagram doesn't really correspond to the configuration ip address (for inside network). Hope that is only typos.

The rest of the configuration looks good to me.

Hope that helps.

t.techasakul Thu, 07/22/2010 - 19:24
User Badges:

Thank you halijenn.

Actually, no.13 and 14 is okay. I can configure it use the same IP as PAT. And will use the ACL that you wrote.

For 24 and 25, I still don't understand why the ex-technician put it in Watchguard.

Thanks again.


This Discussion