Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 506E

I am installing a new PIX506E and want to have it wide open in the beginning and then will run a qualsys network test and shut things down from that point. My problem is this: I believe it is wide open, but when I attach it to the network external people cannot access our website. Internal users have no problems. Any ideas or pointers would be great!!!


Re: PIX 506E

Could you post a config?

New Member

Re: PIX 506E

Here is my config file...


Re: PIX 506E

You want it to be wide open from the outside?

If so you could simply do...

access-list outside_access_in permit icmp any any

access-list outside_access_in permit ip any any

access-group outside_access_in in interface outside

The inside interface is wide open by default so you could remove the inside_access_in acl completely.

Your websites are working...

Make sure the dns is resolving properly.

Some of the access-list statements for you outside_access_in are not written properly. You have the source written as your 69. address with a source port. Remove these.

access-list outside_access_in permit tcp host eq www any

access-list outside_access_in permit tcp host eq https any

access-list outside_access_in permit gre host any

access-list outside_access_in permit tcp host eq pptp any

access-list outside_access_in permit tcp host eq www any

Typically it would be written like this...

access-list outside_access_in permit tcp any host eq www


Hope this helps. Please rate helpful posts.

New Member

Re: PIX 506E

I made the changes (I think) that you recommended, but still cannot get to our website externally. Here is the config file with the changes. Thanks for all your help and I really appreciate it!!

Re: PIX 506E

I see you have a route as:

route outside 1

which is your PIX outside interface.

who is routing your public IP block? do you have a next hop router in front of the pix? I don't think you are routing your public IP block back to the pix outside interface.

New Member

Re: PIX 506E

CBeyond handles the public IP block and we do not have a next hop router in front of the pix. What would be the best way to route this back?

Re: PIX 506E

Your outside interface must be facing touching your ISP and that is why I was puzzled as to why your default route is pointing to the PIX outside interface address as suppose to the next hop router which is the IPS provider.

The ISP know better if they gave you a public IP block they route back to your outside interface of PIX and your defualt route is the ISP providers IP.

on the ISP router facing your PIX outside they have to route back teh block as:

ip route

CreatePlease login to create content