PIX 506 with a DHCP connection

jonathan-copeland · ‎04-01-2001

Is there a way to setup a PIX 506 with a DHCP address for the outside (i.e. cable mode, DSL) AND also allow access to a web server or email server on the inside (protected/private) of the network? I have tried the Static and conduit commands to no avail. I am running PIX IOS 5.2(3).

Thanks in advance.

a-vazquez · ‎04-06-2001

I don’t foresee that being a problem just remember you can’t use the same address as the address for your web server. All the DHCP client does is allows the outside IP address to be dynamically assigned and shouldn’t adversely affect the rest of the operation of the PIX. So let’s say your ISP assigns a 150.1.1.1 address to the outside interface. You then set a static for your webserver like static (inside,outside) 150.1.1.2 192.168.1.2 netmask 255.255.255.0 and then a conduit permit tcp host 150.1.1.2 eq http any

jonathan-copeland · ‎04-06-2001

So if I am understanding this correctly I will still need at least two IP addresses. One for the outside interface of the PIX and another public IP for my WebServer. That is a tough one. I am going to see if my cable modem provider will set me up with a couple of static IP addresses then. Thanks for the help in userstanding. I knew how it was done with the bigger 515 but hadn't ever encountered the need to dhcp until I got the 506 and thought about using it at home.

Thanks again,

Jonathan Copeland

rayshan · ‎04-11-2001

http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/pix22_ds.htm this doc should help

jblancaster · ‎05-22-2001

I am having a similar situation. I have a 506 w/ DSL that uses PPPoE and can not use the PIX with PPPoE. I have thought of switching to cable or a different provider that uses DHCP but I am under the impression that I will need two IP addresses which is hard to get with cable/DSL. Do I really need two? (One for the PIX and one for the NAT pool)

jekrauss · ‎05-23-2001

If you want to provide external access to an internal server, you will need to setup a static and conduit to that server. You will need a second ip address to do that.

HTH

Jeff

bdube · ‎05-23-2001

It's possible to manage dynamic IP address with a box like the D-LINK DI-704. It's perfect to provide your internal users access to the Internet with only one DSL/Cable access.

But you will always have a problem with the servers (Web & email). Since they change IP addresses each time you connect to the ISP, you must reflect this change somewhere in the DNS space (mapping of host name with IP address). Of course, if you want to use an IP address directly to reach your server instead of standard URL, it's possible if you know the right IP address and if you advertise yourself the IP address to your friends or employees.

Don't try Dynamic DNS. It's not working in your case because the client software use in these scenarios are sitted on the servers and try to detect a change in IP address. Since your servers are behind the PIX or even just right behind the D-LINK Gateway, the IP address used by the server wil never change and the address is a private one, not public and routable.