OK I have this basic config. When I ping from internal LAN PC yahoo.com IP, I see request and response on PIX debug but pings are not getting back to PC. Also from outside can't access my web server. However from inside I can get all web sites.

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Traffic from lower security (outside) interface to higher security (inside) interface has to be explicitly allowed using an ACL. To be able to ping hosts on the Internet from the inside network you need to permit icmp echo-replies on the ACL applied on the outside interface. If there's no ACL applied on the outside int then you need to create an ACL and allow icmp echo-replies to come in. Moreover, configure the outside ACL needs to permit http traffic to your web server.

To access you web server from the outside you need a static NAT as well - to map global to local IP of the server.

The link below has a configuration example that you may find helpful.

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094ea2.shtml#configs

HTH

Sundar

Hi Sunder,

What I need to do is verify IP connectivity tro' PIX. So I want to pass thro' all the traffic IN and OUT of PIX. I believe following should take care of it, please confirm.

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-list from_inside permit any any

access-list from_outside permit any any

I am using external INT IP for PATTING towards the Internet. I am not sure why do I need static map for the web server.

Yes, it should work but you need to add a couple of things. I am sure you know the access-list needs to be applied to the respective interfaces using the access-group command. For the web server on the inside, you would need to configure a static statement.

HTH

Sundar