Thanks for the reply.

I have a straight through cable from the outside interface, into a hub. There is another cable from the hub to the router (straight thru). I can ping public IPs from the console of the firewall. I can also ping the PC on the inside interface from the firewall console, but the PC (on the inside) cannot ping public IPs.

Its possible that you are missing a route from your inside network to the outside. It looks like you are not passing network traffic to the gateway of the PIX. For example,

ip route inside_network network_mask gateway_ip

for example routing 192.168.1.0 network to the gateway of the internet

i.e. IP ROUTE 192.168.1.0 255.255.255.0 55.35.4.1

I hope this makes sense.

Might be good to post your config, guessing without a config or error message is very dificult.

example config:

ip address outside YOUR-PUB-IP-X 255.255.255.xxx

ip address inside 10.27.164.254 255.255.255.0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 RouterIP 1

Questions:

1.) Do you have access-lists, please post it ?

2.) Where are you doing the NAT on the PIX or on the Router ?

3.) Can you telnet to the outside router.

Note: If you want to ping to the Router from the PC you need to add an access-list.

Ping is not a stateful protocol. To allow pings from the inside to the outside interface you need to create an access-list. If you want to ping the same interface that you are physicly connected you need to configure the "icmp" command.

example:

See: Handling ICMP Pings with the PIX Firewall

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

The PIX and the traceroute Command

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml

examples:

Traveroute

Microsoft:

access-group outside in interface outside

access-list outside permit icmp any host YourPublicIP unreachable

access-list outside permit icmp any host YourPublicIP time-exceeded

access-list outside permit icmp any host YourPublicIP echo-reply

And finaly after changing the NAT statement you need to reset the translation table otherwise this will not work.

clear xlate

Take also a look on this whitepaper:

Establishing Connectivity

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html

sincerely

Patrick

Thanks for the replys. I do not have a route from the inside to the outside. I will apply that route to the gateway. If that doesn't work, I am going to assume that I need an access list.

I will post my progress here. Thanks.

I set up those ACLs exactly as they were posted, with both outside and inside interfaces as parameters with no luck. How can I view the running-config so I can post it here?

Connect the blue console cable and use a terminal emulation software to connect to the Cisco PIX console.

Set 9600/8/N/1

When you have the prompt type:

enable

write terminal => Display current configuration on the terminal.

sincerely

Patrick

My running-config:

PIX Version 5.3(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

names

access-list outside permit icmp any host MY.PUBLIC.IP unreachable

access-list outside permit icmp any host MY.PUBLIC.IP time-exceeded

access-list outside permit icmp any host MY.PUBLIC.IP echo-reply

access-list inside permit icmp any host MY.PUBLIC.IP echo-reply

access-list inside permit icmp any host MY.PUBLIC.IP time-exceeded

access-list inside permit icmp any host MY.PUBLIC.IP unreachable

logging on

no logging timestamp

no logging standby

no logging console

no logging monitor

no logging buffered

no logging trap

no logging history

logging facility 20

logging queue 512

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1500

mtu inside 1500

ip address outside IP.OF.OUTSIDE.INT 255.255.255.248

ip address inside 10.27.164.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

arp timeout 14400

access-group outside in interface outside

access-group inside in interface inside

route outside 0.0.0.0 0.0.0.0 MY.PUBLIC.IP 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

isakmp identity hostname

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:1822fe6c04d66d7d676575872736e2c4

: end

[OK]

1. the current acl inside is going to block all outbound traffic. since you've got the identical acl applied on the outside interface, there is no need to apply another one on the inside interface.

2. no nat/global. pix v6.x (or eariler) will not forward any traffic without nat/global statement.

e.g.

global (outside) 1 interface

nat (inside) 1 0 0

with the sample above, the pix will pat all outbound traffic by using the pix outside interface ip.

in case you don't want pix to perform nat/pat, then:

nat (inside) 0 0 0

Just go in enable mode and:

write erase

reload

sincerely

Patrick

I very much appreciate your post! It is indeed well thoughout and structured information, however, I need my connection to come from a router (T1 line), not a modem.