hi all, I've been researching this problem for several days now, and have come up totally short in terms of finding a solution. Here's the scenario: I have a PIX 515 with an internal network range of 192.168.0.0/24 behind it and a single external IP I obtain via DHCP [cable]. I have the PIX configured as 192.168.0.1 and I have it using DHCP to obtain an IP for the external address. Here is the routing table: outside 0.0.0.0 0.0.0.0 204.210.27.1 1 OTHER static inside 192.168.0.0 255.255.255.0 192.168.0.1 1 CONNECT static outside 204.210.27.0 255.255.255.0 204.210.27.13 1 CONNECT static Now here's the problem: I can ping the other 192.168.0.0/24 machines from the PIX, and I can ping outside IPs from the PIX. However, I cannot get the traffic to route from the internal network through the PIX using PAT. Yes, I know the PIX is not designed to be a router, but I only require it to perform a simple routing task with regard to PAT. Here's a part of the configuration I don't totally understand: When setting up a global rule, if the single external IP I have is configured as the outside interface, it will return: Start and end addresses overlap with outside interface address [command: global (outside) 1 outside.ip] my NAT table reads: nat (inside) 1 192.168.0.0 255.255.255.0 0 0 Yes, I have tried changing this to allow NAT from everywhere [0 in field where 192.168.0.0 is] so I figured a way around this, although it doesn't work: bring the external interface down, then issue the global command, then bring it back up. This doesn't present a problem to the PIX in terms of an error msg when I'm configuring it, but the traffic still fails to route. My question is: What is the proper way to do this? All I need is a PAT setup "many to one" type translation for this internal network. I will attach a 'show config' for diagnostic purposes. Any insight would be greatly appreciated - And I have been through the documentation available on Cisco's site quite a few times, and while it's rather informative I was unable to solve this problem with it. If anyone would like more information from the device I would be glad to e-mail it to you off-list or whatever. Thanks. --BEGIN 'show config'-- PIX Version 6.0(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password blahblbahblah encrypted passwd blahblah encrypted hostname pix domain-name mydomain.net fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names pager lines 24 interface ethernet0 auto interface ethernet1 auto mtu outside 1500 ip address outside dhcp ip address inside 192.168.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 pdm history enable arp timeout 14400 nat (inside) 1 192.168.0.0 255.255.255.0 0 0 conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 204.210.27.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius http server enable http 192.168.0.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps no floodguard enable telnet timeout 5 ssh timeout 5 terminal width 80 --END 'show config'-- --BEGIN 'show version'-- Compiled on Thu 17-May-01 20:05 by morlee Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz Flash i28F640J5 @ 0x300, 16MB BIOS Flash AT29C257 @ 0xfffd8000, 32KB 0: ethernet0: address is 0050.54ff.2403, irq 10 1: ethernet1: address is 0050.54ff.2404, irq 7 Licensed Features: Failover: Enabled VPN-DES: Enabled VPN-3DES: Disabled Maximum Interfaces: 6 Cut-through Proxy: Enabled Guards: Enabled Websense: Enabled Throughput: Unlimited ISAKMP peers: Unlimited --END 'show version'-- Thanking you in advance, Sean Lewis - [To unsubscribe, send mail to majordomo@lists.gnac.net with "unsubscribe firewalls" in the body of the message.]