Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 515E

I'm having some troubles setting up a new firewall. (I'm new to firewalls)I've got the unit up with configured IP addresses on inside and outside. Downloaded and installed ASDM software. I can't seem to get it to pass traffic.

The unit is being used to secure one network from the rest of our company network.

Inside interface is

The PIX will be the gateway on this network.

Outside interface is

Gateway on the outside network is a Cisco 6500 MSFC which connects to the rest of the company.

Thanks, Dave

I have included a show run:

PIX Version 7.2(2)


hostname pixfirewall

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted


name GAC

name Plant



interface Ethernet0

nameif outside

security-level 0

ip address


interface Ethernet1

nameif inside

security-level 100

ip address


interface Ethernet2


nameif intf2

security-level 4

no ip address


passwd 0aywtm/YUv1U3jNB encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list ping_acl extended permit icmp Plant any

access-list outside_access_in extended permit icmp Plant

access-list outside_access_in extended permit icmp GAC

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu intf2 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image flash:/asdm-524.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0

access-group ping_acl in interface outside

route outside 1


router rip


version 2


timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-vpn

telnet Plant outside

telnet GAC outside

telnet inside

telnet timeout 5

ssh timeout 5

ssh version 1

console timeout 0

dhcpd dns

dhcpd wins

dhcpd ping_timeout 750

dhcpd auto_config outside


dhcpd address inside

dhcpd enable inside



class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns migrated_dns_map_1


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect http

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp


service-policy global_policy global

prompt hostname context


: end

asdm image flash:/asdm-524.bin

asdm location GAC inside

asdm history enable

New Member

Re: PIX 515E


Try changing your PAT:

Enter these commands:

no global (outside) 1 interface

no nat (inside) 0

nat (inside) 1

global (outside) 1 interface

clear xlate

About acls: access-list outside_access_in extended permit icmp Plant

access-list outside_access_in extended permit icmp GAC

You are trying to ping your hosts in the inside from Plant and GAC (located in the outside), you will not be able to do this since you are USING PAT, hence hiding your inside network, so whenever you try to ping any host in you will not reach it from the outside.

Try entering

access-list outside_access_in extended permit icmp any any

so you can test pinging from any host in the inside to anything in the outside, but you won't be able to ping from the outside to the inside

And one last observation:

telnet Plant outside

telnet GAC outside

You will not be able to telnet to the outside interface unless you use IPSec, this is because telnet will send everything in clear text, and doing this in the outside interface will be insane!!

New Member

Re: PIX 515E

Thanks for the advice.

I found a routing issue as well. Things were getting out and not able to come back.

It's up and working now.

Thanks again, Dave