Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 520 configure list,pls help me trouble shooting

with this config, I cann't ping,

the debug trace indicate:>>

how can I direct the traffic go to DMZ no go to outside.

following is my pix 520 6.0(1)'s config list

: Saved


PIX Version 6.0(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password --moderator edit-- encrypted

passwd --moderator edit-- encrypted

hostname Pix

domain-name Pix

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


pager lines 24

no logging on

logging timestamp

logging console debugging

logging monitor debugging

logging buffered debugging

logging trap debugging

logging history debugging

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside

ip address inside

ip address dmz

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside

failover ip address inside

failover ip address dmz

pdm history enable

arp dmz 0004.c13a.5080 alias

arp timeout 90

global (outside) 1

global (dmz) 1 netmask

nat (inside) 1 0 0

nat (dmz) 1 0 0

alias (inside)

static (dmz,outside) netmask 0 0

conduit permit icmp any any

conduit permit tcp host eq www any

conduit permit tcp host eq pop3 any

conduit permit tcp host eq smtp any

conduit permit tcp host eq domain any

route outside 2

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt noproxyarp dmz

no sysopt route dnat

telnet inside

telnet timeout 30

ssh timeout 5

terminal width 80


New Member

Re: PIX 520 configure list,pls help me trouble shooting

Is there any reason your inside hosts can’t appear on the DMZ with there own addresses instead of the PAT assigned global? Try this if you can:

no global (dmz) 1 netmask

static (inside,dmz) netmask

wr mem


Remember, anytime you add, changer or delte a nat and/or global it is best to wr mem/reload on the PIX. Now, test your ping again with debug running. Let me know if that helps.