[c-nsp] Cisco 2620 and Pix 515E Config help please
Bob Fronk
bfronk at davishelliot.com
Thu Apr 7 16:43:21 EDT 2005
Good afternoon.
I am replacing a 2620 that we have been using as our Firewall with a PIX
515E.
I am trying to correctly configure another 2620 as my Internet Router
which will serve as the CSU/DSU router in front of the PIX.
Current setup is (IPs edited for privacy)
!
!
interface Loopback0
description Public IP Block
ip address 2.2.2.2 255.255.255.224
!
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nat inside
ip inspect Inside in
ip tcp adjust-mss 1400
duplex auto
speed auto
!
interface Serial0/0
description Sprint PL Internet Access
ip address 1.1.1.1 255.255.255.252
ip access-group Firewall in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nat outside
encapsulation ppp
fair-queue
no cdp enable
!
ip nat inside source interface Serial0/0 overload
ip nat inside source static 192.168.2.x 2.2.2.3
ip nat inside source static 192.168.2.x 2.2.2.4
ip nat inside source static 192.168.2.x 2.2.2.5
ip nat inside source static 192.168.2.x 2.2.2.6
ip nat inside source static 192.168.2.x 2.2.2.7
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
In one of the access lists there are commands to allow traffic to the
serial and loopback:
remark Permit any traffic to the outside interface
permit ip any host 1.1.1.1
remark Allow any traffic to the loopback interface
permit ip any host 2.2.2.2
There is also an access list allowing specific ports on the IPs that
have the static nat entries.
What I cannot find documentation on is how to pass the Public IP block
through to the PIX since the Public IP block is not the same as the
serial interface IP. Will I need to nat the public block to addresses
in the PIX?
You help for a relative newbie is appreciated.
Bob
More information about the cisco-nsp
mailing list