Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Please check my configured PIX 506e.


Above is an easy diagram for my network.
Background of my work is

1. Replace firewall from Watchguard III 700 to spare PIX 506e.

2. I have 8 public ip address from ISP. Just only one ip address that registered PTR. So I have to used that for PAT and my mail server.

3. I have to set up port forward from outside to inside server; Exchange 2007 server and Openvpn server.

4. I have to setup firewall to route ip-pbx server to some ip-pbx devices.

I am a firewall novice.I just read from Cisco website and another websites.

Here is my configuration command. Please take a look and give me some comment.

1. nameif etherne0 outside security0

2. nameif ethernet1 inside security100

3. interface ethernet0 100full

4. interface ethernet1 100full

5. ip address outside

6. ip address inside

NAT+PAT configure
7. nat (inside) 1

8 global (outside) 1

9.   access-list OUTBOUND permit tcp any eq www

10. access-list OUTBOUND deny tcp any any eq www

11. access-list OUTBOUND permit ip any any

12 access-group OUTBOUND in interface inside

Port forwarding from outside to inside

13. static (inside,outside) tcp smtp  smtp netmask
14. static (inside,outside) tcp 443 443 netmask

15. static (inside,outside) udp 1194 1194 netmask

16. access-list INBOUND permit tcp any host netmask eq smtp

17. access-list INBOUND permit tcp any host netmask  eq 443

18. access-list INBOUND permit udp any host netmask  eq 1194

19. access-group INBOUND in interface outside ----------------------Is it right?

Routes to Default gateway

20. route outside

Routes for some ip-pbx
21. route inside

22. route inside

23. route inside

24. route inside

25. route inside

That's all. I don't try it in the real environment yet.

My problem are 16 -19. I can not apply these access lits.

Another problem are 22. and 24, PIX can not route same ip address range to another.

Thanks in advance.

Cisco Employee

Re: Please check my configured PIX 506e.

A few suggestions to look into:

- Your point 8 and point 13 & 14 are using the same external ip address of which is overlapping. I would suggest that for point 8, you either use another spare ip address, or alternatively use the outside interface ip address as follows:

global (outside) 1 interface

- For point 16, 17 and 18, you would need to configure ACL to point to the public ip address instead of the private ip address as follows:

access-list INBOUND permit tcp any host eq smtp

access-list INBOUND permit tcp any host  eq 443

access-list INBOUND permit udp any host  eq 1194

- Point 24 adn 25 are incorrect. You won't be able to route traffic towards an ip address which is not in the same subnet as your inside interface. Not too sure what you are trying to achieve. Point 22 and 23 are already correct. If you would like to further route the and subnet further, that needs to be configured on the downstream router ( and routers).

- Lastly the ip address on the diagram doesn't really correspond to the configuration ip address (for inside network). Hope that is only typos.

The rest of the configuration looks good to me.

Hope that helps.

New Member

Re: Please check my configured PIX 506e.

Thank you halijenn.

Actually, no.13 and 14 is okay. I can configure it use the same IP as PAT. And will use the ACL that you wrote.

For 24 and 25, I still don't understand why the ex-technician put it in Watchguard.

Thanks again.

CreatePlease to create content