Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member


We are in the process of replacing our 3Com Access builder (dial-in) system with a Cisco PIX 515e.

Currently, we have a 350+ node IP based WAN with fixed IP addresses. It works well. But, our addressing scheme does not currently utilize IANA reserved addresses. We have numerous offices linked by dedicated line. We are running NT4.0 servers and also and have several distinct, domains with no trusted Domains. A future plan is to consolidate Domains prior to migrating to Windows2000.

We have no immediate plans to allow direct Internet access from our WAN, although it is certainly a future likelihood that we will modify our topology to permit direct workstation access. However, this is several years away.

Several questions come to mind and we have been getting different answers from different "experts."

Does it make sense to convert our internal IP addressing to one of the private address blocks; (i.e... or go with NAT? What are the concerns and issues associated with each? Is security a problem or advantage when using NAT?

Are we required to go forward with changing our internal IP addressing our internal WAN with a private address scheme if we are to use the Cisco PIX firewall?

Thanks for your help...


Cisco Employee


There is no need to change your current ip addressing scheme in order to use the PIX.

NAT alone is not enough to secure a network.

But it is a plus to have it.

I would say that if you don't want to change your ip addressing scheme and don't see any reason to do it. Then don't do it.

People would usually change it to a private ip address scheme in order to save/find more public addresses.

New Member


Thanks for your reply.

The problem I have is that some people be accessing the PIX via the Internet. Let's say the host dials in. He has a private IP address of and the server he is trying to access within our internal intranet has an address of How will the host be able to find the server? The individual who is setting the system up claims that the Server and all of our interior LANs must utilize private addresses for the Internet based VPN hosts to locate the Servers and peripherals within the interior LAN. Thus, we need to redo the IP addresses throughout our entire operation. If this is not the case, I'll need to explain why and how we can get around the need to redo the addresses.

Again, thanks for your help....

CreatePlease login to create content