Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 501 interconnectivity

My problem is that the Inside and outside network defined are working fine but independently, Although from the PIX console there is response from either side but there is no response to a machine on the inside network from outside. Please someone help in this regard. an erly response is anticipated.

the existing config goes like this:-

: Saved


fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


object-group network inside


object-group network in


object-group network out


access-list inside_access_in permit tcp interface inside interface outside

access-list acl_outbound permit ip any any

access-list acl_outbound permit tcp any any

access-list outside permit icmp any any

access-list outside permit ip any any

access-list inside permit icmp any any

access-list inside permit ip any any

access-list outbound permit tcp any host

access-list outbound permit icmp any host

access-list inbound permit tcp any host eq www

pager lines 40

mtu outside 1500

mtu inside 1500

ip address outside ip address inside ip audit info action alarm

ip audit attack action alarm

pdm location inside

pdm group inside inside

pdm group in inside

pdm group out outside

pdm history enable

arp timeout 14400

global (outside) 10 interface

global (inside) 50 192.x.2.10- netmask

nat (inside) 50 192.x.2.0 0 0

nat (inside) 10 0 0

static (inside,outside) netmask 0 0

access-group outside in interface outside

access-group inside_access_in in interface inside

route outside 1

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt noproxyarp outside

telnet inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80


: end

2.x is the internal network and 1.x is hte outside network

New Member

Re: PIX 501 interconnectivity

"there is no response to a machine on the inside network from outside."

Well I dont see it on the config but if you have not changed it the outisde interface by default is has security of 0 and inside has 100

That means thanks to the ASA (adaptive Security Algorithm) any interface with a high security level can communicate with a low security level but not the other way around.

Right now there will be no response because you are doing only nat.

To get a inside machine to respond requests from outside you need to create a static translation.


static (inside,outside) tcp ftp-data ftp-data netmask

This static command will allow any ftp-data request made on outside interface to be forward to interface inside ip port 20

Also keep in mind to add an access-list for that to happen because the outside interface does not accept any thing from out side.

In the case you want to open the outside to receive request for the static above you do


access-list OUTSIDE_TO_INSIDE extended permit tcp any interface outside eq ftp-data