PIX-506e: Help with NAT setup (newbie)

Answered Question
May 8th, 2007

I've got the following scenario: internal LAN at 192.168.0.x, connected to inside port of 506e. Outside port connected to cable router (SMC 8014). Cable router supplies address to 506e (10.1.10.x).

I've specified address pools as PAT using the assigned port addresses, but I can't ping through the 506e (i.e., I can't ping to

I'm probably just missing something obvious, but I'll be grateful for any advice. Config attached.



I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 5 months ago

What fixed it?

Here's everything you ever wanted to know about PIX.


Command references have all cli commands. Also check out the configuration guides.

Please rate these if they help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Jon Marshall Tue, 05/08/2007 - 05:39


Is the ISP address ?.

Ping uses ICMP which is not stateful so you need to explicitly allow it back through your firewall.

Add this to you config

1) access-list outside_in permit icmp host any (note you can change the any to a host from your internal network)

2) access-group outside_in in interface outside.



ddidpm506 Tue, 05/08/2007 - 06:41


No, the 8014 is a cable modem/router. It NATs from the internet address to 10.1.10.x (it gave the PIX

I'm only using ping as an example. I don't think anything is routed through to the cable router. If I connect a PC directly to the cable router everything works fine. But I can't seem to get anything across the PIX.



ddidpm506 Wed, 05/09/2007 - 04:08

I've attached my entire config.

Is there a document or website that gives a detailed explanation of all terminal commands and their syntax for the 506e?




You have some statements in the pix that are not needed. But below is the config to allow icmp back into the network.

1. Check to see if you have a route to the outside world.

Show route

You should see something like ;


Next paste the following config changes in.

config t

no global (inside) 1 interface

access-list outside permit icmp any any echo-reply

access-list outside permit icmp any any time-exceeded

access-list outside permit icmp any any unreachable

access-group outside in interface outside


wr me

Next from the pix try to ping outside.

ping outside

From your PC ping

What works and doesn't work?

acomiskey Wed, 05/09/2007 - 11:44

You won't get too far with this either..remove these.

access-list inside_access_in permit icmp host echo

access-group inside_access_in in interface inside

and what is the purpose of this, you should not need it.

static (inside,outside) dns netmask 0 0

ddidpm506 Wed, 05/09/2007 - 11:51

Thanks everyone - this solved the problem.

I appreciate your help.

Is there ia document that describes, in detail, the CLI commands, their syntax and what the various parameters mean? I'm just monkey-see-monkey-do at his point, and I really need to get a better understanding of what these commands do.



ddidpm506 Wed, 05/09/2007 - 12:11

Here's what my final config looks like:

access-list inside_access_in permit icmp host echo

access-list outside_access_in permit icmp interface outside echo-reply

access-list icmp1 permit icmp any any

global (outside) 2 interface

global (inside) 1 interface

nat (inside) 2 dns 0 0

access-group icmp1 in interface outside




This Discussion