PS.. Forgot to add the following URL - Shows setting up NAT/PAT on a PIX 506.

http://www.lansystems.com.au/weekly_update/290900/P506_dg.pdf

Thanks - Jay

First of all, thanks for all responses.

Forgive my limited experience configuring firewalls.

I have a belkin router which is connected to the internet.

WAN IP - 64.x.x.x

Inside IP - 192.x.x.x

Gateway - 64.x.x.x

If i understand correctly, I should replace the Belkin router and configure the 506 with the address information (including NAT/PAT) and I'm ready to go?

I've looked over the document provided by the url and noticed the need for three registered addresses for the small business network configuration. Here's where I'm confused because we have one static public address. The document states;

One outside address - 168.20.1.5

One server address - 168.20.1.6

One internet user address - 168.20.1.7

Help!

Hi -

That document is for example ONLY to show you NAT and PAT config!

My question to you is what kind of setup have you got at the moment, i.e. are you using the Belkin Router for internet connectivity and thinking of placing the 506 between the router and your internal LAN ??

Please explain your full intention of what you propse to do and then I/we can direct you in the right direction (forget that document for the moment).

Thanks - Jay

All apologies..

The win2k server and all desktops are currently pointing to the internal address on the Belkin router as the gateway. I would like to place the pix between the router and the internal lan without having to make changes to all server/desktop gateways (DHCP not implemented). I hope this helps!

Thanks again for responding!

Hi -

OK, now that's clear, following is a sample config for a PIX 515 running 6.2(2) - what version have you got on the PIX, do command 'show version' and it will show the current version and IOS.

But this config would be okay to go with - just change the required IP addresses etc.

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password encrypted

passwd encrypted

hostname pixfirewall

domain-name test.dom

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

no logging on

interface ethernet0 100full

interface ethernet1 100full

mtu outside 1500

mtu inside 1500

ip address outside 192.168.1.10.1 255.255.255.224

ip address inside 10.10.10.1 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

no failover

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 192.168.1.10.3 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00

sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

terminal width 80

Thanks - Jay

Thanks Jay!

Current version - 6.3.1

This will sound like a dumb question...

If the internal server/desktop network is 192.x.x.x and the ip address inside on the pix is 10.x.x.x, will the pix translate all inbound traffic and pass it through the switch as 192.x.x.x?

Hi -

Firstly, NO question is DUMB!! - What you need here is a 'route command' here is a explanation;

route command:

When passing data to a destination network that is not directly connected to the PIX, the destination network must be specified. The destination network is specified using the route command. The PIX is not a router, although it sometimes behaves in a routerlike fashion. The PIX cannot make the same kinds of dynamic routing decisions that a router makes; it must be configured statically.

Route if_name ip_address netmask gateway_ip [metric]

Here, if_name is the name of the interface that the data will pass through when exiting the PIX. The gateway_ip is the IP address of the device (usually a router) that is the next-hop device to the destination network.

It is common to use a default route to the untrusted side of the PIX (the outside interface). The following is an example of how the route commands might be configured if the outside interface were connected to the Internet and the inside interface were connected to your company intranet, which consists of three subnets. The inside interface is directly connected to the 10.2.0.0 255.255.0.0 subnet. The 10.3.0.0 and 10.4.0.0 subnets are reached via a router with a local interface of 10.2.1.4.

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

route inside 10.3.0.0 255.255.0.0 10.2.1.4 1

route inside 10.4.0.0 255.255.0.0 10.2.1.4 1

With the default route, any traffic that is permitted to pass through the PIX that has a destination network other than 10.2.0.0, 10.3.0.0, and 10.4.0.0 will be passed through the outside interface to 192.168.1.1 for routing.

**In your case the 10.2.1.4 would be your switch IP address, the '1' at the end states that it is 1 metric away (or 1 hop)**

Hope this explains it - Jay

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

OK. .

Just to verify everything is in order.

The belkin router info is;

WAN IP - x.x.42.46

LAN IP - x.x.1.100

Subnet - 255.255.255.224

Gateway - x.x.42.33

I will connect the the pix ouside port to the belkin lan port. here's current running config on the pix;

PIX Version 6.3(1)

interface ethernet0 auto shutdown

interface ethernet1 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password eophEPJ3DEofiYBk encrypted

passwd xxxxxxxxxxxx encrypted

hostname PIX

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

pager lines 24

mtu outside 1500

tu inside 1500

ip address outside x.x.1.200 255.255.255.224

ip address inside 10.10.10.1 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 x.x.1.200 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Could you please verify before I install?

Thank you for all your patience. I really appreciate all the help you have provided.

P.S. I am trying to convince my manager to supply Cisco training. As you have noticed I really need it!!!