Sean, I stand self-corrected, in private mail I told you AFAIK it wasn't possible. However, after I did a quick search at www.cisco.com for "515 DHCP PAT" this information was contained in the first hit. HTH, let me know if it works. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/config/com mands.htm (Watch Wrap) The following partial configuration example shows how to use three new features that are associated with each other: DHCP server, DHCP client, and PAT using interface IP to configure a PIX Firewall in a small office, home office (SOHO) environment: ! use dhcp to configure the outside interface and default route ip address outside dhcp setroute ! enable dhcp server daemon on the inside interface ip address inside 10.0.1.2 255.255.255.0 dhcpd address 10.0.1.101-10.0.1.110 dhcpd dns 209.165.201.2 209.165.202.129 dhcpd wins 209.165.201.5 dhcpd lease 3000 dhcpd domain example.com dhcpd enable ! use outside interface IP as PAT global address nat (inside) 1 0 0 global (outside) 1 interface The following is sample output for the show dhcpd command: show dhcpd dhcpd address 10.0.1.100-10.0.1.108 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd dns 192.23.21.23 dhcpd enable inside The following is sample output for the show dhcpd binding command: show dhcpd binding IP Address Hardware Address Lease Expiration Type 10.0.1.100 0100.a0c9.868e.43 84985 seconds automatic The following is sample output for the show dhcpd statistics command: show dhcpd statistics Address Pools 1 Automatic Bindings 1 Expired Bindings 1 Malformed messages 0 Message Received BOOTREQUEST 0 DHCPDISCOVER 1 DHCPREQUEST 2 DHCPDECLINE 0 DHCPRELEASE 0 DHCPINFORM 0 Message Sent BOOTREPLY 0 DHCPOFFER 1 DHCPACK 1 DHCPNAK 1 Ken Claussen MCSE CCNA CCA Ken@kccweb.com "The Mind is a Terrible thing to Waste!" -----Original Message----- From: firewalls-owner@Lists.GNAC.NET [mailto:firewalls-owner@Lists.GNAC.NET]On Behalf Of Sean Lewis Sent: Wednesday, June 06, 2001 1:24 AM To: firewalls@Lists.GNAC.NET Subject: PIX 515 + broadband - what am I missing? hi all, I've been researching this problem for several days now, and have come up totally short in terms of finding a solution. Here's the scenario: I have a PIX 515 with an internal network range of 192.168.0.0/24 behind it and a single external IP I obtain via DHCP [cable]. I have the PIX configured as 192.168.0.1 and I have it using DHCP to obtain an IP for the external address. Here is the routing table: outside 0.0.0.0 0.0.0.0 204.210.27.1 1 OTHER static inside 192.168.0.0 255.255.255.0 192.168.0.1 1 CONNECT static outside 204.210.27.0 255.255.255.0 204.210.27.13 1 CONNECT static Now here's the problem: I can ping the other 192.168.0.0/24 machines from the PIX, and I can ping outside IPs from the PIX. However, I cannot get the traffic to route from the internal network through the PIX using PAT. Yes, I know the PIX is not designed to be a router, but I only require it to perform a simple routing task with regard to PAT. Here's a part of the configuration I don't totally understand: When setting up a global rule, if the single external IP I have is configured as the outside interface, it will return: Start and end addresses overlap with outside interface address [command: global (outside) 1 outside.ip] my NAT table reads: nat (inside) 1 192.168.0.0 255.255.255.0 0 0 Yes, I have tried changing this to allow NAT from everywhere [0 in field where 192.168.0.0 is] so I figured a way around this, although it doesn't work: bring the external interface down, then issue the global command, then bring it back up. This doesn't present a problem to the PIX in terms of an error msg when I'm configuring it, but the traffic still fails to route. My question is: What is the proper way to do this? All I need is a PAT setup "many to one" type translation for this internal network. I will attach a 'show config' for diagnostic purposes. Any insight would be greatly appreciated - And I have been through the documentation available on Cisco's site quite a few times, and while it's rather informative I was unable to solve this problem with it. If anyone would like more information from the device I would be glad to e-mail it to you off-list or whatever. Thanks. --BEGIN 'show config'-- PIX Version 6.0(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password blahblbahblah encrypted passwd blahblah encrypted hostname pix domain-name mydomain.net fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names pager lines 24 interface ethernet0 auto interface ethernet1 auto mtu outside 1500 ip address outside dhcp ip address inside 192.168.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 pdm history enable arp timeout 14400 nat (inside) 1 192.168.0.0 255.255.255.0 0 0 conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 204.210.27.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius http server enable http 192.168.0.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps no floodguard enable telnet timeout 5 ssh timeout 5 terminal width 80 --END 'show config'-- --BEGIN 'show version'-- Compiled on Thu 17-May-01 20:05 by morlee Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz Flash i28F640J5 @ 0x300, 16MB BIOS Flash AT29C257 @ 0xfffd8000, 32KB 0: ethernet0: address is 0050.54ff.2403, irq 10 1: ethernet1: address is 0050.54ff.2404, irq 7 Licensed Features: Failover: Enabled VPN-DES: Enabled VPN-3DES: Disabled Maximum Interfaces: 6 Cut-through Proxy: Enabled Guards: Enabled Websense: Enabled Throughput: Unlimited ISAKMP peers: Unlimited --END 'show version'-- Thanking you in advance, Sean Lewis - [To unsubscribe, send mail to majordomo@lists.gnac.net with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to majordomo@lists.gnac.net with "unsubscribe firewalls" in the body of the message.]