Cisco Support Community
Community Member

PIX515E (7.0) basic config w/NAT example

Where can I find an example of basic firewall config with NAT for PIX 515 (v.7.0) where the external IP address is obtained from a DHCP server?

Thank you!


Re: PIX515E (7.0) basic config w/NAT example


Here is the list of configuration examples and guides from Cisco.

If you need help you can always post your configuration here and let us know what your trying to accomplish.


HTH please rate any posts that are helpful.

Community Member

Re: PIX515E (7.0) basic config w/NAT example

Thanks! I haven't found an example for what I need. For starters I would like to translate the attached config to 515E - 7.0(1) format.


Re: PIX515E (7.0) basic config w/NAT example


I feel you have missed to attach the txt file..

hope u can redo so that we can refer up the same...


Community Member

Re: PIX515E (7.0) basic config w/NAT example

I did attach it. I'm not sure what happened to it. The attachment is listed but I can't click on it. Anyway, I used the Spoke-to-Spoke VPN example and got most of the functionality up - minus the VPN (either the static tunnel between two sites or remote client connectivity). Here's what I've got so far:

PIX Version 7.0(1)



interface Ethernet0

speed 10

nameif outside

security-level 0

ip address dhcp setroute


interface Ethernet1

nameif inside

security-level 100

ip address


interface Ethernet2


nameif dmz

security-level 50

no ip address


enable password 9m1XNkMOusyr8J7t encrypted

passwd 9m1XNkMOusyr8J7t encrypted

hostname pix515e


boot system flash:/pix701.bin

ftp mode passive

same-security-traffic permit intra-interface

access-list 100 extended permit ip

access-list nonat extended permit ip

access-list outside_access_in extended permit tcp any any eq ssh

access-list 101 standard permit any

pager lines 24

logging console informational

logging monitor informational

logging buffered informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip local pool vpnpool

monitor-interface outside

monitor-interface inside

monitor-interface dmz

asdm history enable

arp timeout 14400


global (outside) 1 interface

nat (inside) 1

access-group outside_access_in in interface outside

route outside yy.yy.yy.yy 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

group-policy vpn3000 internal

group-policy vpn3000 attributes

wins-server value

dns-server value

vpn-idle-timeout 30

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 101

default-domain value

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto dynamic-map cisco 20 set transform-set myset

crypto map mymap 10 match address 100

crypto map mymap 10 set peer xx.xx.xx.xx

crypto map mymap 10 set transform-set myset

crypto map mymap 20 ipsec-isakmp dynamic cisco

crypto map mymap interface outside

isakmp identity address

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption 3des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

telnet inside

telnet timeout 5

ssh outside

ssh timeout 60

ssh version 2

console timeout 0

tunnel-group DefaultRAGroup type ipsec-ra

tunnel-group DefaultRAGroup general-attributes

authentication-server-group none

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key secret

tunnel-group vpn3000 type ipsec-ra

tunnel-group vpn3000 general-attributes

address-pool vpnpool

default-group-policy vpn3000

tunnel-group vpn3000 ipsec-attributes

pre-shared-key somekey2

tunnel-group xx.xx.xx.xx type ipsec-l2l

tunnel-group xx.xx.xx.xx ipsec-attributes

pre-shared-key somekey


class-map inspection_default

match default-inspection-traffic



policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect http

inspect icmp error


service-policy global_policy global

CreatePlease to create content