[c-nsp] Cisco 2620 and Pix 515E Config help please

Voll, Scott Scott.Voll at wesd.org
Thu Apr 7 16:59:31 EDT 2005 

Static route the publics back to the pix and get rid of all the NATing
on your router.  The pix will do a better job any way.

Scott

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Bob Fronk
Sent: Thursday, April 07, 2005 1:43 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco 2620 and Pix 515E Config help please

Good afternoon.

 

I am replacing a 2620 that we have been using as our Firewall with a PIX
515E.

 

I am trying to correctly configure another 2620 as my Internet Router
which will serve as the CSU/DSU router in front of the PIX. 

 

Current setup is (IPs edited for privacy)

 

!

!

interface Loopback0

 description Public IP Block

 ip address 2.2.2.2 255.255.255.224

!

interface FastEthernet0/0

 ip address 192.168.2.1 255.255.255.0

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip accounting access-violations

 ip nat inside

 ip inspect Inside in

 ip tcp adjust-mss 1400

 duplex auto

 speed auto

!

interface Serial0/0

 description Sprint PL Internet Access 

 ip address 1.1.1.1 255.255.255.252

 ip access-group Firewall in

 ip verify unicast reverse-path

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip accounting access-violations

 ip nat outside

 encapsulation ppp

 fair-queue

 no cdp enable

!

ip nat inside source interface Serial0/0 overload

ip nat inside source static 192.168.2.x 2.2.2.3

ip nat inside source static 192.168.2.x 2.2.2.4

ip nat inside source static 192.168.2.x 2.2.2.5

ip nat inside source static 192.168.2.x 2.2.2.6

ip nat inside source static 192.168.2.x 2.2.2.7

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.x

 

In one of the access lists there are commands to allow traffic to the
serial and loopback:

 

remark Permit any traffic to the outside interface

 permit ip any host 1.1.1.1

 remark Allow any traffic to the loopback interface

 permit ip any host 2.2.2.2

 

There is also an access list allowing specific ports on the IPs that
have the static nat entries.

 

 

 

What I cannot find documentation on is how to pass the Public IP block
through to the PIX since the Public IP block is not the same as the
serial interface IP.  Will I need to nat the public block to addresses
in the PIX?

 

You help for a relative newbie is appreciated.

 

 

Bob 

 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list