Cisco PIX 501

Unanswered Question
Oct 31st, 2009


I bought PIX 501 a week ago - since that time I am trying to configure it - looks like I need some help.

The question is:

I have an ISP RJ45 wire with single Global IP on it.

I have a LAN

I do not have a cisco (or any else) routers.

So is it possible to let LAN users access internet with all written above?

Thank you in advance.

Mr. Brooks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
jkrawczyk Sat, 10/31/2009 - 18:37

Hi Mr. Brooks,

The below should do it for you. I run 7.2 and your 501 can't run a higher version train than 6.x so you may need to remove the 'extended' from the commands below. Don't worry about the 'deny ip any any' statement in the outside-in access list because traffic going outside will have access on the return via in the inspection rule set.

access-list WWW extended remark Regulate access to the Internet

access-list WWW extended permit ip object-group LAN any

access-list outside-in extended deny ip any any

object-group network LAN

description Allow these inside networks access to the internet


access-group outside-in in interface outside

global (outside) 10 interface

nat (inside) 10 access-list WWW

Default, the PIX 501 has dhpc enabled and will acquire form your ISP the public IP and gateway information.

Your internal hosts will also receive DHCP addresses, etc from the PIX.

You don't need a router

MUXAHMUXAH2 Sun, 11/01/2009 - 02:19

Thanks for quick reply.

It still does not work.

But I guess it is not because your config

- I think it is smthng with routing


pixfw(config)# sh route

outside "the network name IP" "My Global IP" 1 CONNECT static

inside 1 CONNECT static

I will go ask about it in ROUTING part of forum.

Anyway thank you.

BR, Mr Brooks

MUXAHMUXAH2 Sun, 11/01/2009 - 12:04


global (outside) 10 interface

nat (inside) 10 access-list WWW

like in previous message?

mariusz.pianka Sun, 11/01/2009 - 15:37

It is possible, I have such configuration setup in my office.

I believe this is a blank config so you start from :

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

global 1 interface

nat 1

If your Public ISP is assigned dynamically you have to specify :

ip address outside dhcp setroute

Then you must either enable DHCP on the inside interface with DNS server or specify it manually and you're done.

ICMP (Ping) is blocked by default, it can actually leave the interface but reply is blocked that is coming back through outsite interface.

Hope it helps.

I have a different problem now though .. :|

MUXAHMUXAH2 Mon, 11/02/2009 - 00:34

Yeah I saw.

Thanks for help.

Could you show the result of "sh route" on your PIX501?

mariusz.pianka Mon, 11/02/2009 - 10:28

PIX501# show route

outside 1 DHCP static

outside 1 CONNECT static

inside 1 CONNECT static

mariusz.pianka Tue, 11/03/2009 - 01:32

I did get to work so will you :)

Let's go step by step.

Could you paste your config ?

MUXAHMUXAH2 Tue, 11/03/2009 - 07:54

Thanx Mariusz :)

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfw

domain-name mydomain

clock timezone MSK/MSD 3

clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


object-group network LAN

description Allow this inside networks acess to theinternet


access-list WWW remark Regulate access to Internet

access-list WWW permit ip object-group LAN any

access-list outside-in permit icmp any any

access-list outside-in permit ip any any

pager lines 24

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm location inside

pdm logging informational 100

no pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0 0

access-group outside-in in interface outside

route outside 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address inside

dhcpd dns

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain mydomain

dhcpd enable inside

terminal width 80

mariusz.pianka Tue, 11/03/2009 - 14:11

I applied your config to my PIX with two changes.

1. I do not specify outside ip address manually, I type "ip address outside dhcp setroute" you can try with manual IP but type SETROUTE word at the end.

2. The internet did not work untill I took off all access-lists and added a different NAT command.


"nat 1"

so, I took your access-lists away completely, changed NAT command, and SETROUTE to outsite interface.

Try this and let me know

mariusz.pianka Tue, 11/03/2009 - 14:31

I just checked again and there is no command to add manual IP address and setroute.

WHat I had to do is and IP address of my default gateway of ISP.

My IP address from ISP is but default gateway is

So you have to find out the ip address of your ISP gatway and set the default route.

MUXAHMUXAH2 Wed, 11/04/2009 - 10:55


1. I have nat (inside) 1 0 0

2. I cleared ALL access lists

3. And I had a default route -

route outside gate of my isp

nothing changed.

I have ICMP permit inside and outside, but i still cannot even ping my outside interface... Iam starting to panic... :)


This Discussion