Identical pix501 configs, but one won't work

Unanswered Question
Jan 18th, 2008

I am new to firewalls, so please excuse my ignorance. My company has several PIX 501 firewalls in place for a SCADA project. We have 2 more to add in. I have used the same configuration from one of the known-good PIXs for my new PIXs aside from putting the correct inside/outside IP addresses, access-lists and PDMs. I cannot ping the new PIX (inside/outside IP addresses) nor can the new PIX ping anything beyond it's own inside/outside IP addresses. As I said, everything is identical, so I'm not sure what is wrong. Can anyone offer any suggestions?

Thanks in advance,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.4 (5 ratings)
JORGE RODRIGUEZ Fri, 01/18/2008 - 11:35

Mark, you did not say where are you pinging from, if you console to the pix can you ping its interfaces? can you post output status for the inside & outside interfaces. From within pix issue" show interfaces" and post info, could you also provide physical connectivity information such as where does PIX inside interface connects to e.g. switch , vlans.. , as well as outside interface ect..



markbednarz Fri, 01/18/2008 - 11:47

Hi Jorge,

The pix is sitting on my desk, and I am trying to ping it from my computer across the network back to the PIX. I try to ping from the PIX using my HyperTerminal through the console cable into the PIX. Putting the PIX in the correct building makes no difference. The PIX cannot ping anything inside or outside. As far as the infrastructure between my computer and a PIX that is working correctly, my computer goes to a switch in my building to a router in my building, across a T1 to the remote building into it's router, then it's switch and then into the remote PIX. I have tried this with my PIX that won't work and have brought it back to my desk to try to figure out what the problem is.

The attached text is the "Show Interface" information.

JORGE RODRIGUEZ Fri, 01/18/2008 - 12:44

What is your PC ip configuration, are you in the same segment as the inside pix interface, or is the PIX inside interface connected to the correct vlan on switch carring network, can you post the complete pix configuration.

markbednarz Fri, 01/18/2008 - 13:00

Hi Jorge,

PC gets IP from DHCP and always gets the same IP on the 10.1.60 subnet. I am able to ping all our other PIX's from my desk and remote into them through the web. I've attached the config of this PIX, which aside from everything being for the 10.21 outside and 10.26 inside and related access-list's and PDM's it matches all our "live" PIX's.


JORGE RODRIGUEZ Fri, 01/18/2008 - 13:47

Mark, is there another router device inside your LAN that is routing network , if you are unable to ping the inside PIX interface, either the inside PIX interface is not connected in the right vlan in your inside switch for subnet , or there is no route to subnet from whichever router is carring subnet, can you verify this is the case.



markbednarz Tue, 01/22/2008 - 04:28

Hi Jorge,

Over the weekend I was starting to think that this might be a routing issue as well. I didn't see your reply back until now (Tues morning), but I think you may be right. I'll check things out and get back to you.



markbednarz Thu, 01/24/2008 - 07:47

Hi Jorge,

This was in fact a router issue. Both the closest-hop router and the main router needed the route defined and it's working like a charm now. Thanks so much for your help!


JORGE RODRIGUEZ Thu, 01/24/2008 - 08:42

Mark, you are always welcome..thanks for your update.. as I suspected a routing problem.. I am glad tha it was resolved and again thank you for your update.

Best regards


nagel Tue, 01/22/2008 - 08:54

The 2nd PIX is on a different subnet which means that it has a different router associated with it.

You will need to change your route outside statement or your route inside statement to reflect the correct next hop router.

markbednarz Tue, 01/22/2008 - 11:03

Hi Nagel,

For my PIX that can't ping anything the routes are as follows:

outside 1 OTHER static

outside 1 CONNECT static

inside 1 CONNECT static

The router that this PIX is supposed to go to is the, the outside ip of the PIX is and inside IP of PIX is

I know the outside route is correct, so I'm not sure a change needs to occur there. Given that, I should be able to ping this PIX from my desk which is outside the PIX and vice-versa, right?



JORGE RODRIGUEZ Tue, 01/22/2008 - 15:16

Mark, in order to ping the oustide interface you need icmp permit any outside statement in your firewall configuration which you dont have, by default outside interface blocks ICMP.

If your PC in office and network is the outside in relation to the PIX and your network does have a route to get to network, with above icmp permit any outside statement you should be able to ping the PIX outside interface.

I still think we are not getting the complete picture of your topology other than the PIX configuration outside interface IP and inside interface IP.

Try the above and post results.



markbednarz Wed, 01/23/2008 - 04:45

Hi Jorge,

Adding the statement in did not change my ability to ping the PIX. I'm still trying to check the router situation out. The person I replaced had not documented the password to access the router so I am trying to get that information from them. I'm not ready to wipe out a router config just to gain access to it quite yet.


This Discussion