Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Help with initial 515E setup...

Hello, this is my first time working with a PIX, so I'm a little confused and frustrated with the setup of the PIX!

I'm trying to get traffic coming from the inside to be able to flow to the outside, but am unable to. I have an IP address on both the inside and the outside interfaces and can ping routers on both sides (the Internet gateway router and our internal router) but am not able to allow clients to access any external resources. I have the internal network setup on the inside interface (sec100) and the gateway router on the outside interface (sec0).

I don't want to use NAT (I'm already using PAT on our gateway router and have no need to translate the addresses at the firewall). I used the "static (inside,outside) x.x.x.x x.x.x.x netmask z.z.z.z" command where x.x.x.x is our internal address space and z.z.z.z is the internal network's subnet mask. To test the firewall (without taking out our existing firewall and shutting down our live network), I set my notebook up to be on the same subnet as the internal (inside) interface and set the default gateway on my notebook to the firewall. The firewall can ping my notebook and stuff on the internet (it's connected fine). When I try to ping from my notebook to an IP address on the internet (that I know I get a response from), I just get timeouts. It's like it's blocking the traffic and won't let it go through. I don't receive any "deny" messages on my syslog server when I try the ping. I do get "Oct 16 2002 13:32:12: %PIX-6-305002: Translation built for gaddr y.y.y.y (my notebook IP) to laddr y.y.y.y".

Any help that you could recommend would be most helpful and appreciated!


Re: Help with initial 515E setup...

Have you set the nat command to disable translation (ie disable nat):

nat (inside) 0 0 0


access-list all-ip-packet permit ip 0 0 0 0

nat (inside) 0 access-list all-ip-packet

Hope it helps.