Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Verification request of config of PIX Catalyst logical interface


I have a need to use one interface on my PIX 525 (version 7.2(2)) as a logical interface so that I can use NAT to reference local non-routable DMZ IP addresses into ospf advertised IP addresses. I?ve connected PIX ethernet 4 into my Cisco 6500 switch slot 12 port 43. I?ve enabled trunking on 12/43 and 12/43 resides in my management domain (VLAN1). My relevant switch and FW config is below.

Issue: Not working: Host attempts to RDP to NAT address but fails. I would like to have confirmation that this config is correct from the community.

Catalyst Switch

Port status is:

12/43 PIX-525-ETH4 connected trunk full 100 10/100/1000

Trunk config is:

clear trunk 12/43 2-239,241-1005,1025-4094

set trunk 12/43 on dot1q 1,240

Trunk status is:

12/43 on dot1q trunking 1

Firewall interface config is:

interface Ethernet4

description Base interface for DMZ translations

speed 100

duplex full

no nameif

security-level 100

no ip address


interface Ethernet4.240

vlan 240

nameif VLAN240

security-level 75

ip address

ACL config is:

access-list VLAN240 remark NAT control into VLAN240 from inside

access-list VLAN240 extended permit ip host

access-list VLAN240_IN remark Regulate access from VLAN240 into inside

access-list VLAN240_IN extended permit tcp host eq 3389 host

access-list VLAN240_IN extended deny ip any any

NAT config is:

global (outside) 30 X.X.X.X netmask

global (XXXXXX) 3 interface

global (XXXXXX) 20 interface

global (VLAN240) 50 interface

nat (inside) 0 access-list NONAT

nat (inside) 3 access-list XXX

nat (inside) 20 access-list XXXXXX

nat (inside) 30 access-list WWW

nat (inside) 50 access-list VLAN240

nat (XXXXXX) 0 access-list NONAT-VPN

static (inside,VLAN240) netmask

access-group VLAN240_IN in interface VLAN240

return route does exist.

Hall of Fame Super Blue

Re: Verification request of config of PIX Catalyst logical inter


Try changing your static statement from

static (inside,VLAN240) netmask


static (VLAN240,inside) netmask

Also i'm a little unclear what your access-list VLAN240_IN is doing. At the moment it says

allow the host on port 3389 to talk to the pix VLAN240 interface on any port.

This doesn't seem to make much sense. Perhaps i have misunderstood, could you elaborate.