Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need Help Configuring Pix515E

I'm testing with my laptop behind the pix and I can't browse the web or ping anything in the outside.

Outside IP of Pix is netmask

Inside IP is netmask

DHCP is enabled from

static route outside 1

Any help getting this to work is appreciated.


Attached the Configuration

Building configuration...

: Saved


PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password PW5/XtguiShnqfUP encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname fw1


fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


name FW1

access-list outside_access_in deny ip any any

access-list inside_access_in permit ip any any

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside FW1

ip address inside

ip address intf2

ip audit info action alarm

ip audit attack action alarm

pdm location inside

pdm location FW1 outside

pdm location outside

pdm history enable

arp timeout 14400

nat (inside) 0 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http outside

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

dhcpd address inside

dhcpd dns

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain

dhcpd auto_config outside

dhcpd enable inside

terminal width 80


: end



Re: Need Help Configuring Pix515E

I see two problems right off.

#1. NAT: If you want to get to the Internet, you'll need to NAT your IPs to something public. Your [nat inside (0)] statement tells the Pix not to NAT traffic for the network. Instead, replace it with something like

nat (inside) 1

Now add a global statement to NAT the traffic to something public. You can use the Pix's outside interface if you would like.

global (outside) 1 interface

#2. ACLs: Your two access-lists don't actually accomplish anything as they are both the Pix's behavior by default. That is, allow all traffic on the inside interface going out and deny all traffic on the outside interface coming in. So just remove the inside interface ACL all together and replace the outside ACL with something like this.

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any unreachables

access-list outside_access_in permit icmp any any time-exceeded

access-group outside_access_in in interface outside

The pix does not do stateful inspection of ICMP traffic. Therefore, this access-list allow responses to ping requests from hosts on the outside to hosts on the inside. It will also allow ICMP unreachables in. The time-exceeded will permit traceroute to work going out to the internet. It should be noted that using this ACL will not allow hosts on the Internet to ping your hosts on the inside.

All other traffic started on the inside going out will automagically be let back in by the Pix due to its stateful inspection of the packets.


New Member

Re: Need Help Configuring Pix515E

Thanks for the help Shannon, got it to work.

First time I ever touched a Firewall, Thanks for the quick response.


CreatePlease login to create content