Solved: Do iI need a router with my PIX?

moconnor · ‎04-03-2003

I have cable connection to the internet, the ISP provides me with a DHCP IP. Do I need to purchase a router to put in fromt of my recently purchased PIX or can the PIX handle the routing as well?

Also, how does the PIX handle dynamic IPs on it's external interface? I am a bit confused, thanks in advance.

-- Marc

mostiguy · ‎04-03-2003

Yep.

Your external ip on the pix can be dynamic or static

Your internal ip on the pix needs to be static. The pix can act as a dhcp server for your interla network ,but it sounds like you already have that all set up. Just exclude an ip address from the internal pool, and use that for your pix. Make sure you configure your dhcp server to pass that ip as the new default gateway.

View solution in original post

mostiguy · ‎04-03-2003

The pix can handle static routes, and has limited dynamic routing functionality. Pix can handle dynamic ips fine.

I have a pix 501 at home on a cable modem - it grabs the external ip address dynamically, and parses the dhcp option to get the default route

syghafoor · ‎04-03-2003

Hi Marc,

You don't need a router, pix can act as dhcp client.

ip add outside dhcp setroute

the above command will allow you to get the ip address for outside interface as well as the default gateway for the pix.

I hope this helps.

Syed

moconnor · ‎04-03-2003

What if I do my internal DHCP through my Win2k servers? Can I just set the PIX to handle the DHCP from the ISP on the external interface and set some type of NAT on the PIX. Can I set a static internal IP from the win2k DHCP server to the internal interface on the PIX. Sorry just a newbie with CISCO. Thanks.

mostiguy · ‎04-03-2003

Yep.

Your external ip on the pix can be dynamic or static

Your internal ip on the pix needs to be static. The pix can act as a dhcp server for your interla network ,but it sounds like you already have that all set up. Just exclude an ip address from the internal pool, and use that for your pix. Make sure you configure your dhcp server to pass that ip as the new default gateway.

moconnor · ‎04-03-2003

Thats great! Anything else I should study up on to become a PIX expert? Is NAT difficult to configure in relation to the firewall? i.e. can I cancell out a port forwarding statement by using an ACL stament? Thanks again.

syghafoor · ‎04-03-2003

If you go to the following link it has some really good tech tips on pix firewall.

http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:PIX&s=Software_Configuration#Software_Samples_and_Tips

Port redirected (static nat) is used for inbound traffic. Let say if you have a mail or ftp server and you want to allow traffic from outside to inside, this is where you will be using port redirection. In order to allow access from outside to inside you need both static nat and access-list since they both work in conjunction.

For the oubound traffic you can configure PAT to use your interface ip address.

You don't need any access-list for outbound traffic since by default everything is permited. Here is the command syntax for outbound PAT.

global (outside) 1 interface

nat (inside) 1 0 0

I hope this helps.

Regards,

Syed

moconnor · ‎04-05-2003

Thanks for all you help. Can't wait to get started.

--Marc