I could have sworn I had those lines in there. I think when I cleared my access-list, it must have wiped those lines out. I'll give that a try to see what happens. Thanks.

I added the access-group lines, but I still can not get to the internet. I'm not sure what is wrong. I am attaching the config again along with some other outputs.

PIX Version 6.3(1)

interface ethernet0 10full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname lab

domain-name LAB

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list outthere permit icmp any any echo-reply

access-list outthere permit icmp any any unreachable

access-list outthere permit icmp any any time-exceeded

access-list inthere permit icmp any any

access-list inthere deny tcp host 192.168.40.10 any eq www

access-list inthere permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 37.x.x.10 255.255.255.248

ip address inside 192.168.40.1 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outthere in interface outside

access-group inthere in interface inside

route outside 0.0.0.0 0.0.0.0 37.139.239.6 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

terminal width 80

Cryptochecksum:xxx

: end

lab# sh int

interface ethernet0 "outside" is up, line protocol is up

Hardware is i82559 ethernet, address is 000d.bdc8.9868

IP address 37.x.x.10 , subnet mask 255.255.255.248

MTU 1500 bytes, BW 10000 Kbit full duplex

84 packets input, 5040 bytes, 0 no buffer

Received 84 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

91 packets output, 5460 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/1)

output queue (curr/max blocks): hardware (0/1) software (0/1)

interface ethernet1 "inside" is up, line protocol is up

Hardware is i82559 ethernet, address is 000d.bdc8.9869

IP address 192.168.40.1, subnet mask 255.255.255.0

MTU 1500 bytes, BW 100000 Kbit full duplex

77 packets input, 5867 bytes, 0 no buffer

Received 11 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

5 packets output, 306 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/1)

output queue (curr/max blocks): hardware (0/1) software (0/1)

lab# sh access-group

access-group outthere in interface outside

access-group inthere in interface inside

Thanks. I didn't know that. But it makes sense.

add a 'deny any any log' to the end of your acls, and set up a syslog (kiwi syslogd) server on the inside machine. then set up your firewall to use that machine as the syslog server. (another option is to view debug inside firewall). This way you can see what traffic is actually getting denied.

Also is your outside route correct? Can you ping your next hop on the outside?

i can't ping anything on the outside of PIX.

try to auto-negotiate the OUTSIDE speed/duplex instead of setting 10full.

The autonegotiate for some reason does not work. And my connection outside is 10baseT. This is why I manually configured it.

What's the errors you get when you autonegotiate... Try 10 half duplex.

Is the route outside 37.139.239.6 one of your devices or ISP's? Can you ping your PIX from 37.139.239.6. If it's not yours, call your ISP and have them reprovision the circuit.

the route outside to 37.139.239.6 is my gateway. This is a DSL line. I'll try to ping from the internet to my PIX to see what I get.

You won't be able to ping outside of pix with your current config, just ping from pix to gateway.

if I can't ping anything on the internet, I won't be able to ping anything outside the pix. thanks. I just rebooted the modem, firewall, and PC and still nothing.

when the PIX came up, it came up on monitor> mode. I reloaded again and it came up with the normal prompt. Not sure what happened there.