Jump to content
Sadikhov IT Certification forums
Sign in to follow this  


Recommended Posts



I have a situation where I need to setup a firewall before a PIX like this (OUTSDE - FW1 - PIX - DMZ/INSIDE). I am not an expert of PIX and need some assistance.



Customer has a PIX on their network with the following configuration:


ip address out publicip1

ip address inside

ip address DMZ_WWW 10.10.101


name server1

name server2

name server3

name server4

name server5

name server6


access-list OUTSIDE_ACCESS_IN permit tcp any host publicip2 eq https

access-list OUTSIDE_ACCESS_IN permit tcp any host publicip3 eq domain

access-list OUTSIDE_ACCESS_IN permit tcp any host publicip4 eq 8080

access-list OUTSIDE_ACCESS_IN deny tcp any any


They have another access-list DMZ_ACCESS_IN with several rules for traffic between server1 and the rest of the servers


global (outside) 1 publicip5 netmask

global (DMZ_WWW) 1 netmask

nat (DMZ_WWW) 1


static (DMZ_WWW, outside) publicip2 server1 netmask 0 0

static (inside, DMZ_WWW) netmask 0 0

static (DMZ_WWW, outside) publicip4 server4 netmask 0 0


access-group OUTSIDE_ACCESS_IN in interface outside

access-group DMZ_ACCESS_IN in interface DMZ_WWW


route outside publicip6





Due to some security requirement, they need to put another firewall before the PIX. Therefore beween the new firewall and PIX they will have private ips (NEW FIREWALL - /29 and PIX - /29)


On the new firewall I can configure several public ips (publicip1, 2 etc) on the WAN interface and redirect traffic coming in for them to the ip of the PIX i.e.


My issue is what configuration changes do I have to make on the PIX for this to work?


Appreciate any help.



Share this post

Link to post
Share on other sites

Mainly if another FW will be place ahead, I suggest you do things as simple as possible:

- remove NAT from PIX

- move NAT to the "newer" firewall

- the public IP from the outside interface will move to the new FW the use a interconnection class between FW and PIX

- while implementing this I would use no FW on PIX, at least until you set up all correctly:

access-list ANY permit ip any any

access-group ANY in outside

access-group ANY in dmz

  • Upvote 1

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this