Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 501 with DSL MODEM for internet connection


This is the first time that i configured PIX! Pls help me.

I configured PIX 501. All the pc's in the network, cannot access the internet (gateway is the outside ip add of PIX).

Here's the config:

KAJIMA# sh conf

: Saved


PIX Version 6.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname KAJIMA


fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


access-list devping permit icmp any any

access-list devping permit ip host any

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm location inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0 0

static (inside,outside) netmask 0 0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80


I' ll accept any additional parameters for my initial configuration

Thanks in advance


  • Other Security Subjects
New Member

Re: PIX 501 with DSL MODEM for internet connection

The default gateway on the PC must be on the same subnet. ie: if the PC is 192.168.1.x, the default gateway on the PC's should be

Re: PIX 501 with DSL MODEM for internet connection


the default gateway of the pc on your should should point to the INSIDE ip address of the pix (not the outside address)

Also the pix needs a default gateway. You should use the 'route' command to do this:

route outside ip_address_of_default_gateway

I also ran the config through the cisco output interpreter tool and got these results:


DISCLAIMER: This tool is provided as is and no guarantees are provided. The tool

may make suggestions to improve the security/performance of the PIX Firewall.

Any proposed changes to the configuration should be researched thoroughly and

tested in a lab environment if possible, and should be consistent with any

security policy you have in place. If you are still having problems, you should

contact a Cisco TAC engineer.


WARNING: The enable password has not been set.

TRY THIS: Set the enable password with the 'enable password' configuration


WARNING: A User level password (for TELNET access etc.) has not been set.

TRY THIS: Set the User level password with the 'passwd' configuration command.

WARNING: Make sure that you do NOT use 'cisco' as a password for access or

enable passwords.

TRY THIS: Set the regular password with the 'passwd' configuration command. Set

the enable password with the 'enable password' configuration command.

WARNING: The following 'static' statements do not appear to have a corresponding

'conduit' or 'access-list/access-group' pair:

static (inside,outside) netmask 0 0

TRY THIS: Check that you require these static statements, and if so, consider

configuring an access-list/access-group pair (or conduit) for these statics.

WARNING: You have access-lists defined that are not applied in the configuration

with an 'access-group', 'crypto map', 'crypto dynamic-map', 'vpngroup {name}

split-tunnel' 'nat 0', 'aaa accounting match', 'aaa authentication match', or

'aaa authorization match' command:

access-list devping permit icmp any any

access-list devping permit ip host any

TRY THIS: Make sure that these access-lists are required in your configuration.

(e.g. used for RADIUS authorization)

INFO: The following static statements reference an IP address that do not belong

to the same subnet as the referenced interface:

'static (inside, outside) netmask'

references 'outside'

TRY THIS: If there is a router connected to the reference interface, it will

require static routes to the PIX for any non-connected subnet addresses.

INFO: Your 'Xlate' timeout is greater than 1 hour. The xlate timeout determines

the idle time until a translation slot is freed. You may increase system

performance by setting this timer to 1 hour with the configuration command,

'timeout xlate 1:00:00'.

Kind Regards,


New Member

Re: PIX 501 with DSL MODEM for internet connection

hi, I didn't see a "route outside x.x.x.x" statement in your config. Could that be the problem? x.x.x.x is the address of your default destination, presumably your outside router's IP address.

Bruce MacDougall