06-02-2003 01:52 PM - edited 02-21-2020 12:34 PM
I'm setting up a 506e to firewall an ADSL line into a company.
I've done this before with the VPN, and standard NAT, but when it comes to routing protocols to the inside, can I do it all on a single IP address from the ISP?
Looking at the config options, it looks like I have to have the ISP route me a subnet (At least a 252) to be able to do this.
The ADSL routing is going to be changed to bridging and the PIX is going to terminate the PPPoe.
Anyone done this before? Maybe a sample config?
-Mark
06-02-2003 02:49 PM
You should not have any issues with this type of deployment. Hereis a link that talks about the PPPoE config part of the PIX:
http://www.cisco.com/warp/customer/110/pppoe-for-pix501.html
As far as inbound access suck as www, smtp, etc., you will need a static translation defined for the inside hosts that will be accessed by the ouside hosts. This can be a port address tranlation or a host static translation. Then you can configure the access control for the inbound services (conduit or access-lists). Here is a link that discusses this part of the config.
http://www.cisco.com/warp/customer/707/28.html
I hope this addresses your questions unless you have a more specific issue.
Thanks,
Marcus
06-03-2003 07:31 AM
Can I do it all using the single IP from the ADSL ISP?
Or do I need to have them route me a subnet (...252) to do VPN and inbound WWW/SMTP?
-Mark
06-03-2003 07:48 AM
If the ISP assigns you a routable IP address that gets set on the outside interface of the PIX, you can use that single IP address for outbound PAT translations for outbound traffic and port redirection static statements for inbound access to services. So, yes, you can use that single address. For example:
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (insde, outside) tcp interface 80 192.168.1.100 80 netmask 255.255.255.255
static (insde, outside) tcp interface 8080 192.168.1.110 80 netmask 255.255.255.255
static (inside, outside) tcp interface 25 192.168.1.150 25 netmask 255.255.255.255
Hope this helps...
Marcus
06-03-2003 01:41 PM
Would this still be true if I was to use a VPN to VPN tunnel in the same config?
-Mark
06-03-2003 02:07 PM
Yes. You can also use the address to terminate a VPN tunnel, with both remote access clients and a LAN to LAN tunnel.
Thanks,
Marcus
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: