Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 506 question.

This is a basic question, I need clarification on a scenario.

I have an internal network which is protected by pix 506, pix 506's outside interface is connected to a hub which is having one cisco 1603 connected to internet leased line, and also one cisco 677 series router for ADSL connection.

As far as I understand if I have a mailserver to recieve mail in my internal network, I will use leased line which have a static ip and confiugre my mail server public ip mapping in pix.

So therefore I have only one gateway that can be specified in pix which is cisco 1603.

Now the customer wants that local internal users should browse the internet using ADSL connection, I explained him, that in the pix I can only enter one default gateway, which in this case has to be cisco 1603 bcuz of public mailserver and webserver access required from outside.

I told him that we move the ADSL router to internal network and let the clients have this one as the default gateway, so they can browse the internet, he is worried about the security, I told him, not much to worry bcuz this connection has dynamic ip and we r not opening any port from outside.

Can u pls advice, so that I can print this document and show answer from cisco.


Sayeed alhajri.

  • Other Security Subjects
Cisco Employee

Re: PIX 506 question.

First off, this answer should not be used as the be-all and end-all solution so be careful who you "print it and show to".

If you bypass the PIX for the ADSL connection then obviously you lose all the security benefits of having the PIX in place, and you're leaving your network somewhat open to attack. Yes, it's probably low risk, but it isn't difficult for someone to port scan your entire ADSL subnet and find open ports and then try and get into your network that way. Don't assume that because you have a dynamic address that that makes you impervious to attack, it doesn't. In fact, it doesn't really matter that your IP address changes every time, if someone's doing a port scan they're going to find you regardless.

Having said that, yes, you can only have one default gateway in the PIX. Why exactly do you have both a leased line AND an ADSL connection, why not remove the ADSL and have everyone use the leased line, you're paying for it already. Or see if your ISP will provide an ADSL connection with a static IP address, then you can cancel the leased line instead since ADSL is generally cheaper.

In short, I wouldn't recommend bypassing the PIX just to get around a dual-gateway issue.

This widget could not be displayed.