cant connect to server thru pix

Unanswered Question
Nov 21st, 2007
User Badges:

PIX 501 - unable to connect to / from server behind PIX 501 firewall.




traffic from 172.25.188.x needs to access server.


PIX Version 6.3(5)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxxx

hostname POWfgMUSsal03dv


no fixup protocol dns

no fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

no fixup protocol tftp 69


name msvst

name proxy

name domain_controller

object-group network server

network-object msvst

object-group network clients

network-object 172.176.0




object-group network proxy

network-object proxy

object-group service msvst_tcp tcp

port-object eq 8080

port-object eq www

port-object eq https

port-object eq 1433

port-object eq 3389

object-group icmp-type icmp_allowed

icmp-object echo

icmp-object time-exceeded

icmp-object echo-reply

object-group service DCPorts tcp-udp

port-object eq 137

port-object eq 138

port-object eq 139

object-group network mgmt_access



object-group service mgmt_prots tcp

port-object eq ssh

port-object eq telnet

object-group service SMBPorts tcp-udp

port-object range 135 139

port-object eq 389

port-object eq 445

access-list inside_access_in permit icmp object-group clients object-group server object-group icmp_allowed

access-list inside_access_in permit tcp object-group mgmt_access any object-group mgmt_prots

access-list inside_access_in permit tcp any object-group server object-group msvst_tcp

access-list inside_access_in permit tcp object-group clients object-group server object-group SMBPorts

access-list inside_access_in permit ip any any

access-list outside_access_in permit icmp any any object-group icmp_allowed

access-list outside_access_in permit tcp object-group server object-group proxy eq www

access-list outside_access_in permit icmp object-group server any object-group icmp_allowed

access-list outside-access_in permit tcp object-group server host domain_controller object-group DCPorts

pager lines 24

logging on

logging timestamp

logging facility 7

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

nat (inside) 1 0 0

static (inside,outside) msvst msvst netmask 0 0

static (inside,outside) proxy proxy netmask 0 0

static (inside,outside) domain_controller domain_controller netmask 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Wed, 11/21/2007 - 06:56
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


The most obvious thing that stands out is that you have no global statement that ties up with the "nat (inside) 1 0.0" statement.

Assuming you want to Nat all your hosts to the IP address attached to the outside interface of your pix

global (outside) 1 interface




This Discussion