Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco Pix 506 behind 2600 router


I have the current following config:

Internal Lan >> Cisco 2660 Router >> Internet

Right now the 2600 is configured for NAT and everything is

working great. We also have 1 Exchange 2003 server on our internal

Lan which is also working fine.

I am planning on adding a cisco pix 506 e to the network so it

will look as follows:

Internal Lan >> Cisco Pix >> Cisco 2660 Router >> Internet

My questions are what configurations do I have to perform on the pix to

allow email to flow to the internal exchange server on our network? From

what I have read so far the Pix allows connections from the inside interface

to the outside. But what is the best way to configure Outside connections going


Currently I use the static commands on the 2600 for this purpose, but I

am kind of new to the Pix world.

I appriciate any help you can give me, including commands to enter.


Cisco Employee

Re: Cisco Pix 506 behind 2600 router


For users from outside to access the exchange server, you would need a static and access-list to permit the traffic.

Please refer the below URL for configuration details:

Let me know if it helps.



New Member

Re: Cisco Pix 506 behind 2600 router

Hello Arul,

Thanks for the help.

I have one question though. When entering the commands, which external(outside) interface do

I specify? The outide interface of the pix, or the outside interface of the internet connected 2600 router?

Again, thanks for your help.


Re: Cisco Pix 506 behind 2600 router

With the current setup, local LAN traffic is NATted to a global IP to be able to out to internet. And for the MS Exchange 2003 server, I believed it's one-to-one (static NAT) with a dedicated public IP?

There are 2 options to do it:

1. Transfer all NAT & firewalling function to PIX - common/recommended way to do NAT when Firewall exists.

2. Use no NAT between user segment behind PIX so that the NAT function can remain in router.

Basically, the differences between these options:

Option 1 - Transfer/migrate NAT to Firewall:

To allow Exchange Server 2003 to be able to send & receive email, on pix, configure the folllowing:

*assuming yy.yy.yy.25 - Private IP of Exchange 2003 svr

* xx.xx.xx.11 5 - Public IP of Exchange 2003 svr

a. Map Exchange Server 2003 to the same public IP, as configured in router

firewall(config)# static (inside,outside) xx.xx.xx.11 yy.yy.yy.25 netmask

b. Open ACL on outside interface to control incoming traffic like mail and so on. Follow the same ACL rules in your router

firewall(config)#access-list 100 permit tcp any host xx.xx.xx.11 eq smtp

firewall(config)#access-list 100 permit tcp any host xx.xx.xx.11 eq pop3

firewall(config)#access-list 100 deny ip any any

Then bind this ACL to outside interface:

access-group 100 in interface outside

Option 2 - no NAT on Firewall

- No address translation between user segment behind PIX605 and Router FE interface facing PIX's outside interface.

But the condition is, you need to changed the segment used by your your existing router FE facing the PIX's outside to new private IP subnet.

The advantage is, when users are placed behind PIX, their current IP Addresses & gateway will remain the same.

- Can still control outbound & inbound access to internet, but not stateful as firewall

If you want, you can share your router config (but replace sensitive info like actual public IP to dummy IP, delete password), and I can help to give the new config for Option#1.



Re: Cisco Pix 506 behind 2600 router

It's PIX outside interface

CreatePlease login to create content