Cisco Support Community
Community Member

Pix 515E Outbound Configuration


I'm trying to setup a PIX 515E in the lab for learning .I've configured ether0 with IP address and ether1 with /24 . Ether0 Interface of Pix is connected with a PC having IP address of /24 using cross over cable and Ether1 Interface is connected with another PC , having IP address /24 using Cross cable. I'm trying to initiate a outbound connection from to the PC of ,but it does not work. I've created NAT & Global , no use. From this PC , I can't able to ping "outside "Interface address of PIX .From PIX , I can able to ping both the PC's connected to outside & Inside Interfaces.




Re: Pix 515E Outbound Configuration

Hi Raju,

If you use ping for test, you have to setup an accesslist on the outside interface which permits the returning ICMP-packets.

Remember there is no need to setup an access-list for responsepackets on outbound tcp and udp sessions. Reason for this difference is that PIX´s ASA (the statefull inspection mechanism) does not handle ICMP, but does handle other traffic.

So, when you setup your PIX like you described, ICMP won´t work, but other traffic will. Try to telnet or http to the outside and you will see that it works.

Hope this helps,


Community Member

Re: Pix 515E Outbound Configuration

cut-in-paste below in your pix then it will work.



access-list permit_out_in permit icmp host host

access-group permit_out_in in interface outside


static (i,o)

static (i,o)


route out 0 0


glo (out) 1

glo (out) 1 interface outside

nat (in) 1 0 0

logging on

logging con 7



Make sure you hosts PC have their gateways set correctly. PC1 should have a gateway of the outside interface of the pix. PC2 should have a gateway of the inside PIX.

From the PIX do this:

pix(config)# clear xlate

pix# ping out

you should be getting a reply. Then:

pix# ping in

you should be getting a reply.

Ping the inside interface of the pix from PC2.

you should be getting a reply.

Now goto PC1 on the outside interface and in dos ping

you should get a reply.

This is one way of doing it. You may need to use another way for your final config depending on how many global addrs you have.

If for some reason you can not ping use debug icmp trace to see where the packet is going.

pix(config)# debug icmp trace


Community Member

Re: Pix 515E Outbound Configuration

Thanks Jeff . It works .


CreatePlease to create content