Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ip address assignment


My question may indicate that I am brain-dead so I apologize in advance.

Can you use a private IP on the external interface?

I am installing my first PIX, a 515E. My network is configured as follows:

I have 1/2 of a class c address space allocated to my organization. All of my network devices and the internal interface of my router draw from this address space.

Is it reasonable and will it work if I configure as follows:

1. Inside interface uses an address from the address space above

2. DMZ interface uses something like 192.168.1.X

3. The part I'm confused on: External interface uses perhaps 192.168.2.X with a default route to the router's internal interface with some kind of NAT occurring--



Re: ip address assignment

You could, but it is not recommended. NATing things twice will make troubleshooting very very difficult.

Your pix's EXTERNAL interface should be using an IP from your /25. You should use internal (RFC 1918) addresses on the pix's internal interface, and maybe as well on the DMZ

New Member

Re: ip address assignment

Thanks for the information--I think I'm getting closer to understanding. I currently have all servers and workstations set up with addresses from the 1/2 class c address space. For reasons I won't bore you with, I'm very reluctant to change these to RFC 1918 addresses, particularly the servers. So, given this, I'm still not sure how to configure the inside and outside PIX interfaces.

Can I use an RFC1918 address on the internal interface yet leave all network devices to continue using the class c addresses?


New Member

Re: ip address assignment

You should use private addresses on your dmz and internal networks. Use the public addresses for the external interface on your firewall, the internal interface on your wan router, and for static and dynamic nat.

Disallow echo (ping) trafic on the firewall's external interface.