Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
542
Views
0
Helpful
5
Replies

PIX 6.2, PPPoe, ADSL - VPN & E-mail/WWW routing.

mark.jenks
Level 1
Level 1

‎06-02-2003 01:52 PM - edited ‎02-21-2020 12:34 PM

I'm setting up a 506e to firewall an ADSL line into a company.

I've done this before with the VPN, and standard NAT, but when it comes to routing protocols to the inside, can I do it all on a single IP address from the ISP?

Looking at the config options, it looks like I have to have the ISP route me a subnet (At least a 252) to be able to do this.

The ADSL routing is going to be changed to bridging and the PIX is going to terminate the PPPoe.

Anyone done this before? Maybe a sample config?

-Mark

Labels:
0 Helpful
5 Replies 5

msitzman
Cisco Employee
Cisco Employee

‎06-02-2003 02:49 PM

You should not have any issues with this type of deployment. Hereis a link that talks about the PPPoE config part of the PIX:

http://www.cisco.com/warp/customer/110/pppoe-for-pix501.html

As far as inbound access suck as www, smtp, etc., you will need a static translation defined for the inside hosts that will be accessed by the ouside hosts. This can be a port address tranlation or a host static translation. Then you can configure the access control for the inbound services (conduit or access-lists). Here is a link that discusses this part of the config.

http://www.cisco.com/warp/customer/707/28.html

I hope this addresses your questions unless you have a more specific issue.

Thanks,

Marcus

0 Helpful

mark.jenks
Level 1
Level 1
In response to msitzman

‎06-03-2003 07:31 AM

Can I do it all using the single IP from the ADSL ISP?

Or do I need to have them route me a subnet (...252) to do VPN and inbound WWW/SMTP?

-Mark

0 Helpful

msitzman
Cisco Employee
Cisco Employee
In response to mark.jenks

‎06-03-2003 07:48 AM

If the ISP assigns you a routable IP address that gets set on the outside interface of the PIX, you can use that single IP address for outbound PAT translations for outbound traffic and port redirection static statements for inbound access to services. So, yes, you can use that single address. For example:

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

static (insde, outside) tcp interface 80 192.168.1.100 80 netmask 255.255.255.255

static (insde, outside) tcp interface 8080 192.168.1.110 80 netmask 255.255.255.255

static (inside, outside) tcp interface 25 192.168.1.150 25 netmask 255.255.255.255

Hope this helps...

Marcus

0 Helpful

mark.jenks
Level 1
Level 1
In response to msitzman

‎06-03-2003 01:41 PM

Would this still be true if I was to use a VPN to VPN tunnel in the same config?

-Mark

0 Helpful

msitzman
Cisco Employee
Cisco Employee
In response to mark.jenks

‎06-03-2003 02:07 PM

Yes. You can also use the address to terminate a VPN tunnel, with both remote access clients and a LAN to LAN tunnel.

Thanks,

Marcus

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents