Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Need help with PIX & Router

I have a 2610 in front of a Pix 506E. Attached is the cfg's of each.

I think router is set wrong plz hlp.

ROUTER ===>>


version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption


enable secret xxxx

enable password enable


ip subnet-zero


ip name-server


ip audit notify log

ip audit po max-events 100


interface Ethernet0/0

bandwidth 10000

ip address

ip nat outside



interface Ethernet1/0

ip address

ip nat inside



ip nat pool outside-pool netmask

ip nat inside source list 1 pool outside-pool overload

ip classless

ip route

no ip http server

ip pim bidir-enable


access-list 1 permit

route-map 1 permit 10



line con 0

line aux 0

line vty 0 4

password enable





PIX Version 6.3(5)

interface ethernet0 10full

interface ethernet1 10full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

fixup protocol dns maximum-length 512

fixup protocol esp-ike

fixup protocol ftp strict 21

no fixup protocol h323 h225 1720

no fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol icmp error

fixup protocol pptp 1723

no fixup protocol rsh 514

fixup protocol rtsp 554

no fixup protocol sip 5060

no fixup protocol sip udp 5060

no fixup protocol skinny 2000

fixup protocol smtp 25

no fixup protocol sqlnet 1521

no fixup protocol tftp 69



name WAN-MON


pager lines 20

logging on

logging timestamp

logging buffered alerts

logging trap informational

logging history informational

logging queue 1000

logging device-id hostname

logging host inside WAN-MON

mtu outside 1500

mtu inside 1500

ip address outside PIX-OUTSIDE

ip address inside PIX-INSIDE

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

pdm location WAN-MON inside

pdm logging informational 512

pdm history enable

arp timeout 14400

nat (inside) 0 0 0

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http WAN-MON inside

floodguard enable

telnet timeout 2

ssh timeout 5

console timeout 5

terminal width 80

: end


Re: Need help with PIX & Router


Are you suspecting the "ip nat pool outside-pool netmask" should be replace with "ip nat inside source list 1 interface Ethernet0/0 overload" since it uses Ethernet0/0 as outside nat IP?



New Member

Re: Need help with PIX & Router


I guess no nat 0 is needed if you have no translation in the PIX.

Re: Need help with PIX & Router

For NAT 0, options are:

1. NAT 0

nat (inside) 0 --> no translation for any inside IP/subnet/host, or

nat (inside) 0 --> no translation for specific subnet

2. Policy NAT

access-list 100 permit ip any

nat (inside) 0 access-list 100

3. inside & outside see/reach each other using original IP (no nat)

static (inside,outside) netmask

Re: Need help with PIX & Router


He has 'nat (inside) 0' configured on the PIX. The problem with the router config is the NAT pool is set to use the E0/0 IP. The router doesn't NAT (PAT) when it's setup this way. Hence, he has to specify the interface in his NAT config with the keyword overload for this to work.

To the original poster:

Can you apply the following config to the router?

no ip nat pool outside-pool netmask

ip nat inside source list 1 interface Ethernet0/0 overload



New Member

Re: Need help with PIX & Router

What are you trying to accomplish?

CreatePlease to create content