Pix515E does not allow any additional servers/hosts to be deployed

Unanswered Question


I have a scenario.

1. We are using Pix515E with Restricted license

2. Currently we have moved 9 servers behing the pix firewall

3. Now we are planning to move additional servers, but somehow pix does not allow it

4. NAT translations are ok

5. Configs has been verified to be ok

6. ACL are allowed

7. Inside servers can ping and reach/ browse the new webserver

8. New webserver is able to ping other inside servers and gateway-pix firewall

9. Outside hosts/ Internet users are not able to reach the new server

10. Pix logs does not shows anythings suspicious

11. Capture shows the ack is just not happening

12. We have tried to reboot / reapply the configs

Can someone please help to advise, what may be wrong

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
husycisco Fri, 02/15/2008 - 10:38
User Badges:
  • Gold, 750 points or more

Hi Prasanna

Please post your running config and output of sh ver command.

"Now we are planning to move additional servers, but somehow pix does not allow it "

Can you describe this please? What error do you encounter?



Thanks for reply.

Heres the running config edited before posting ;)

I could see the NAT translations happening

Required traffic is allowed on the firewall

We are currently moving a server in this setup behind the pix firewall.

Existing servers in this network could access the new server

But Internet users/ from outside interface we are unable to reach this server

Even from router I am unable to ping this server, though I have tried allowing the icmp from the router.

PIX Version 6.3(3)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security80

hostname pix

clock timezone utc+8

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol http 8080

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list 110 permit icmp any any

access-list 110 permit tcp 200.x.x.x any

access-list 110 permit tcp 200.x.x.x 250.x.x.x

access-list 111 permit icmp host any

access-list 111 permit tcp any 200.x.x.x

access-list 111 permit tcp any 250.x.x.x

access-list 112 permit icmp any any

access-list 112 permit tcp 250.x.x.x any

access-list 112 permit tcp 250.x.x.x 200.x.x.x

no pager

logging on

logging timestamp

logging standby

logging buffered warnings

logging trap warnings

logging history errors

logging device-id hostname

logging host inside

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside

ip address inside 200.x.x.x

ip address intf2 250.x.x.x

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

static (intf2,outside) 250.x.x.x 250.x.x.x netmask 0 0

static (inside,outside) 200.x.x.x 200.x.x.x netmask 0 0

static (inside,intf2) 200.x.x.x 200.x.x.x netmask 0 0

access-group 111 in interface outside

access-group 110 in interface inside

access-group 112 in interface intf2

route outside 1

route inside 200.x.x.130 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http inside

snmp-server location xxx

snmp-server contact xxx

snmp-server community xxx

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80


: end

show version

Cisco PIX Firewall Version 6.3(3)

Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 13-Aug-03 13:55 by morlee

pix up 2 hours 25 mins

Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : Crypto5823 (revision 0x1)

0: ethernet0: address is 0011.2164.3c0a, irq 10

1: ethernet1: address is 0011.2164.3c0b, irq 11

2: ethernet2: address is 000d.88ee.8ec0, irq 11

Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES-AES: Enabled

Maximum Physical Interfaces: 3

Maximum Interfaces: 5

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

This PIX has a Restricted (R) license.

Serial Number: 808549223 (0x302c27bb)

Running Activation Key: 0x18eaa253 0x445d4e76 0x4a743bdc 0x2ec5df9c

Heres the capture logs for the new server captured on the outside interface

00:40:48.749549 > 250.x.x.207.80: S 2108858885:2108858885(0) win 65535

husycisco Fri, 02/15/2008 - 16:16
User Badges:
  • Gold, 750 points or more

x.x.x es makes it hard to understand. Can you attach as a file (attached files exipre in time) . What is your inside server IP? (with subnetmask) Are 200.x.x.x public IPs?

husycisco Sat, 02/16/2008 - 07:27
User Badges:
  • Gold, 750 points or more

Thanks for your time on config posting.

Here is te issue

static (intf2,outside) netmask 0 0

static (inside,outside) netmask 0 0

ip address inside

According to above lines, I understand that this server was previously located at intf2 because as you see does not belong to You have two options

1) Change the server ip in a range of defined static above (between (Recommended)

2) We have to make a huge change in config to be able to keep 207 in inside if it is a must not to change the IP.


Yes, Indeed server belongs to intf2 and subnet and will remain there. We have tried moving to subnet still the same results.

As we are using ver6.3, NAT0 alone is not sufficient, hence we are using static nat and could see the nat translations.


ip address intf2

husycisco Sun, 02/17/2008 - 09:03
User Badges:
  • Gold, 750 points or more

So let me rephrase and correct me if I am wrong.

Server X WAS! located at intf2 with an IP of and now you moved it to inside interface. If correct,

1) Assign this server a public IP in subnet.

2) Change the gateway of this server from to

3) Run clear xlate and clear arp command in PIX

4) Run arp -d in command line of server for 4-5 times

Now here is the issue

"Outside hosts/ Internet users are not able to reach the new server "

You have the following acl

access-list 111 permit tcp any host

Now change this acl for the new IP address that you assigned Server X

Thanks for your efforts sir!

These has been tried before, and found to be not working.

Rephrasing the problem:-

If I add new servers either in Inside int or intf2, it does not work. Existing servers are working fine.

For testing, I brought down one of the production servers, and used its ip for the new test server. Now the new test server works. But with the new ip, say in .128 or .192 subnet, the new servers does not work.

husycisco Tue, 02/19/2008 - 20:01
User Badges:
  • Gold, 750 points or more

Glad that you sorted it out :)



This Discussion