Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our beta test area to get started.

New Member

Newbie Needs help configuring 506e

I'm tring to configure a 506e for a relatively simple scenario, and just can't seem to get it. I have an existing IP block ,, I would like to give the 506e the last 4 IPs, permit egress, map one or two of the IPs to static internal IP address, and let only a few TCP ports in.

To do this, I did the following:

interface ethernet0 10full

interface ethernet1 10full

nameif ethernet1 outside sec0

nameif ethernet1 inside sec100

ip address outside 67.43.x.x.255.255.240

ip address inside

static (inside,outside) 67.43.x.x.168.1.11 netmask 0 0

access-list acl_outsidein permit tcp any host eq 80

access-group acl_outsidein in interface outside

My reading of all the manuals is that this will map the (outside) ip 67.x.167.44 to the (inside) ip, and that it will permit (only) http access from the outside to

It doesn't do this, i.e. from my little test subnet (, to which the 506e is connected, when I try to access from a web browser, I get no response. ( From within my, subnet, when I go to I get the site )

I tried adding

access-list acl_insideout ip any any

access-group acl_insideout in interface inside

but this made no change.

What am I missing?

  • Other Security Subjects

Re: Newbie Needs help configuring 506e


Do this...

access-list acl_outsidein permit tcp any host eq www

access-group acl_outsidein in interface outside

static (inside,outside) tcp www www netmask 0 0

Issue: clear xlate and save with: write mem

Now when you try to access your web server on port 80, you'll be mapped to your internal web server on

You don't need any ACL's on your inside interface unless you are filtering your inside host's!!

Hope this helps and please rate post if it does!


New Member

Re: Newbie Needs help configuring 506e

You should change this line:

access-list acl_outsidein permit tcp any host eq 80


access-list acl_outsidein permit tcp any host eq 80

Also, you may have trouble testing from Try an unused address within the same subnet assigned to your outside interface.

New Member

Re: Newbie Needs help configuring 506e

Sorry for the typo in the post, but your suggestion was what I really did. The following is the current configuration, which differs somewhat from my original post. Basically, I just have the one IP configured for the PIX, and I let all IP traffic in

The current status is:

CGIPix1(config)# show ip

System IP Addresses:

ip address outside

ip address inside

Current IP Addresses:

ip address outside

ip address inside

CGIPix1(config)# show static

static (inside,outside) netmask 0 0

CGIPix1(config)# show access-list acl_insideout

access-list acl_insideout; 1 elements

access-list acl_insideout line 1 permit ip any any (hitcnt=0)

CGIPix1(config)# show access-list acl_outsidein

access-list acl_outsidein; 2 elements

access-list acl_outsidein line 1 permit tcp any host eq www (hitcnt


access-list acl_outsidein line 2 permit ip any host (hitcnt=0)


New Member

Re: Newbie Needs help configuring 506e

Are you really using a subnet mask of on the outside interface?

New Member

Re: Newbie Needs help configuring 506e

I thought I started a new thread addressing this question but it seems to have been lost.

I think that's my real problem, that I'm not configuring the outside interface correctly. I had used to restrict the firewall to listening to only that 1 IP, which is not what I really want. My real-life situation is that I have an existing 16 IP subnet to which I want to add the 506, with a new server sitting behind the firewall, and leave the exsitng server exposed, listening to some of the IPs in my existing block. I want to eventually migrate the exposed server to be behind the firewall. An additional factor is that all of this will be done in a CoLo situation, so I'm trying to create a test subnet here to configure everything before I ship it out.

Say my existing ip block is, When I configure my 506, how do I assign the outside IP address if I just want to use, e.g., - as the IPs the firewall will listen on, while - are used by an existing server which will not be behind the firewall

If I assign the entire 16 IP subnet to the outside, but only have static assignments for the 5 IPs I want to use on the firewall, which device listens on the first 10 IPs, my existing server or the 506? Do I need a complete, and new, subnet for the firewall?

I thought I had a correct ( test ) configuration with some modifications ( I was using an entire class C subnet (, as my test scenario, and was assigning the firewall the subnet of 192.168.0,241, this worked well, but some local computers, but not all, couldn't get out).

Any insight would be greatly appreciated.

New Member

Re: Newbie Needs help configuring 506e

I agree, your outside interface configuration is the problem. You should not need a new subnet, because the pix will proxy-arp for the hosts configured in your static nat translations.

Here's what I would do:

ip address inside

ip address outside

static (inside,outside) netmask

access-list inFromOutside permit tcp any host eq 80

access-group inFromOutside in interface outside

At this point the servers( - with a subnet mask of plugged into the outside interface should be able to connect to on port 80.

If you want all hosts on the inside to get out, I would add this:

nat (inside) 1

global (outside) 1 interface