New PIX 525 config help

Unanswered Question
Sep 24th, 2010


I am a new member on the forum and new to routing and Cisco products. I am a Windows network administrator. One of my clients recently went out of business and in lew of some money that they owed me; they gave me some equipment including a PIX 525.

I am interested in learning more about routing and cisco equipment so I am trying to use the PIX in my own network. I have downloaded the configuration guide (version 6.3) from cisco and read topics from this and other forums and have managed to put together a config that seems to be doing what I want it to do for the most part. I have run into a few problems that I would like you folks to help me with if possible. The problem I have is that the cisco documentation assumes that you are intimately familiar with routing and also IOS which I am not.

Here is my network setup…

I have a range of static IPs from my cable ISP

I have a windows SBS server running exchange and PPTP vpn.

I have another windows server running an FTP site.

I have a windows server that I use to test new configurations that will potentially run any number of hosted services (mail, web, ftp, vpn etc.).

I use one of my IPs for internet access only for guests.

Previously, I had only one static IP and was using Linksys routers with port forwarding so that I could host my services. The problem was that I couldn’t host more than one mail server or have remote desktop access to more than one server without changing the listening ports. To solve this, I upgraded to a block of 5 static IPs.

My goal now is to use the PIX 525 to direct traffic to each server which resides on a different physical interface with a different subnet. I am currently using NAT and access lists to route traffic coming in on each public IP to a specific internal interface. So far everything seems to be working for the most part.

The interface labeled dmz is the interface my test server resides on. The goal here was to direct any incoming ip traffic to this interface and allow a Linksys router to do the port forwarding. I thought this would be simpler to configure since this machine will host different services depending on what I am working with at the time.

Interface inside1 is my own SBS server with exchange.

Interface inside2 is where my FTP server is.

Interface internet is the guest access internet only subnet

Below is the software version info from the PIX…

Cisco PIX Security Appliance Software Version 8.0(2)
Device Manager Version 6.0(2)

Compiled on Fri 15-Jun-07 18:25 by builders
System image file is "flash:/pix802.bin"
Config file at boot was "startup-config"

pixfirewall up 1 hour 24 mins

Hardware:   PIX-525, 384 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash E28F400B5T @ 0xfffd8000, 32KB

Encryption hardware device : VAC (IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5)
0: Ext: Ethernet0           : address is 0005.9bca.3356, irq 10
1: Ext: Ethernet1           : address is 0005.9bca.3357, irq 11
2: Ext: Ethernet2           : address is 00e0.b604.f027, irq 11
3: Ext: Ethernet3           : address is 00e0.b604.f026, irq 10
4: Ext: Ethernet4           : address is 00e0.b604.f025, irq 9
5: Ext: Ethernet5           : address is 00e0.b604.f024, irq 5

Licensed features for this platform:
Maximum Physical Interfaces  : 10
Maximum VLANs                : 100
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Cut-through Proxy            : Enabled
Guards                       : Enabled
URL Filtering                : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
VPN Peers                    : Unlimited

Below is the scrubbed config I have setup…

PIX Version 8.0(2)
hostname pixfirewall
enable password xxxxxxxxxxxxxx encrypted
interface Ethernet0
nameif outside
security-level 0
ip address
ospf cost 10
interface Ethernet1
nameif inside1
security-level 100
ip address
ospf cost 10
interface Ethernet2
nameif inside2
security-level 90
ip address
ospf cost 10
interface Ethernet3
nameif dmz
security-level 80
ip address
ospf cost 10
interface Ethernet4
nameif internet
security-level 70
ip address
ospf cost 10
interface Ethernet5
no nameif
no security-level
no ip address
passwd xxxxxxxxxxxxxxxxxxxxxx encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list 101 extended permit tcp any host eq 3389
access-list 101 extended permit tcp any host eq 3389
access-list 101 extended permit tcp any host eq smtp
access-list 101 extended permit tcp any host eq www
access-list 101 extended permit tcp any host eq https
access-list 101 extended permit tcp any host eq pop3
access-list 101 extended permit tcp any host eq ftp
access-list 101 extended permit ip any host
access-list 101 extended permit tcp any host eq 5000
pager lines 24
mtu outside 1500
mtu inside1 1500
mtu inside2 1500
mtu dmz 1500
mtu internet 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2
global (outside) 3
global (outside) 4
nat (inside1) 1
nat (inside2) 2
nat (dmz) 3
nat (internet) 4
static (inside2,outside) tcp 3389 3389 netmask
static (inside1,outside) tcp interface 3389 3389 netmask
static (inside1,outside) tcp interface smtp smtp netmask
static (inside1,outside) tcp interface 5000 5000 netmask
static (inside2,outside) tcp ftp ftp netmask
static (inside1,outside) tcp interface www www netmask
static (inside1,outside) tcp interface https https netmask
static (inside1,outside) tcp interface pop3 pop3 netmask
static (dmz,outside) netmask
access-group 101 in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh inside1
ssh timeout 30
console timeout 0
dhcpd dns
dhcpd address internet
dhcpd enable internet
threat-detection basic-threat
threat-detection statistics
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
ntp server source outside prefer
prompt hostname context
: end

I would appreciate if you guys could take a look at this to see if I set it up correctly and give me any recommendations you see fit.

Thanks a million.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
praprama Fri, 09/24/2010 - 08:48


The config looks alright based on the below 2 lines:

static   (dmz,outside) netmask

access-list  101 extended permit ip any host

I am not sure of what problem you are facing currently.



Chris Mickle Fri, 09/24/2010 - 09:25

No problems on the dmz interface so far. The only poorblems I have still are the following...

No access to other public IPs from inside interfaces. For instance, I can't access from machines on interface1 even though the ADSM interface has inharent rules that were apparently automatically created to allow from higher security to lower security.

I used to have PPTP vpn that I could access from a client computer in the inside1 interface and I can't get PPTP trafic to pass through anymore even if I forward port 1723 and dissable the PPTP fixup protocol. The connections just hang at verrifying username and password. If I reconnect everything the way it was befrore the PIX it works again.

I know the PIX no longer supports PPTP VPN itself after software version 7.x I think, but I dont understand why I can't still allow the traffic to pass through to another server.

Also I just wanted to see if the entire config was in good shape and avoid any problems if any were evident or see if the current config is the best way to accomplish my goals.

Sorry I forgot to include the above in my original post.

praprama Fri, 09/24/2010 - 10:00


So you are trying to performing hairpinning on the PIX. When you try to access from the inside1 interface, you will need the below static commands in place:

static  (inside2,inside1) tcp 3389 3389 netmask

static  (inside2,inside1) tcp ftp ftp netmask

Now this traffic is going from higher to lower security level so it should work by default. Now if you want to allow inside2 users to access which is the outisde IP address, you will need the below commands:

static  (inside1,inside2) tcp interface 3389 3389 netmask
static (inside1,
inside2) tcp interface smtp smtp netmask
static (inside1,
inside2) tcp  interface 5000 5000 netmask

static  (inside1,inside2) tcp interface www www netmask
static (inside1,
inside2) tcp interface https https netmask
static (inside1,
inside2)  tcp interface pop3 pop3 netmask

In addition to this, you will need access-lists permitting respective traffic to the IP address on the inside2 interface as well as this is from a lower to higher security lever interface.

Coming to PPTP VPN pass through, i guess you are trying to connect to the PPTP VPN server behind your pix. Is it the IP address server that is hosting the PPTP VPN? Or is it some other server?

PPTP in general does not work with a Static PAT because it involves GRE and since GRE does not have port numbers, PAT does not work with PPTP. You will need a 1:1 NAT for the PPTP server's IP address as in the case of

Hope this helps!!



Chris Mickle Fri, 09/24/2010 - 18:25

Thanks for all the info so far Prapanch,

First, what is hairpinning?

Second, after reviewing your response I realized i had meant to say that I cant access inside interfaces with lower security levels. For instance, a computer on inside1 with ip where the security-level is 100 can not get to the ftp site hosted on inside2 security-level 90. I was under the impression that the pix allowed this by default. As it is though I can not access the ftp site with the url So do I have to create a static command or an access list or what? I don't see any need to access higher security interfaces from lower secureity interfaces on this setup.

Third. That explains why the VPN won't work. Unfortunately, the VPN server was my SBS server on inside1 I dont think 1:1 nat would work because then I would have to use another router on inside1 right? This is possible but it really defeats my goal of trying to use the pix for as many things as possible in order to learn it. 1:1 NAT would be good for the DMZ though because I want another router to control the port forwarding to that network anyway because it is the test network.

What then would be a good alternative to PPTP on SBS server? The goal is to have access to resources on inside1 from the outside that I could configure easily on client computers.


This Discussion