Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

PIX 520 with 3 Interface Cards

Hi There!

On a PIX 520, I have three interface cards.

OUTSIDE -- Connnected to our ISP

INSIDE -- A private network

PRN (DMZ) -- Another firm's (FIRM X) private network

I have a conduit established from the OUTSIDE to an server INSIDE

at to support www and 443 port access. Works great!

I can further access the server from the PRN(DMZ) mini-network from a

client PC I established at a static address of I used another

conduit statement (see below) to provide this access for port 80 and 443. Works great!

Now my problem: I have a remote tester on the FIRM X's private network working from a

terminal address He tries to access the server via port

443, but he gets no response. I *do* see his request in the PIX firewall log

like this:

<190>%PIX-6-302001: Built inbound TCP connection 358446 for faddr gaddr laddr

<190>%PIX-6-302002: Teardown TCP connection 358552 faddr gaddr laddr duration 1:00:40 bytes 0 (Conn-timeout)

So basically, he makes it in but gets no response (timeout).

Further, looking at my server log, I don't see his request hitting my default

web page. (I'm not totally sure of this, but this is my current understanding.)

I've posted my configuration (abbreviated) below. Can anyone

see why my tester is having access problems while I can access the server through

the firewall from my test machine? I'm concerned that my global statement

for the PRN does not specify a range (I won't have any internal communications initiated

from the network to the 56.x.x.x world), that I'm not fully specifying

the limited subnet of the PRN (DMZ) network, and that I have a single "route outside"

statement (although the PIX instructions indicate that you should have only one

route outside statement if you have more than 2 interface cards).

I'm over my head! Can anyone help me?



nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 prn security50

fixup protocol ftp 21

fixup protocol http 80

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol http 443

no fixup protocol rsh 514

no fixup protocol h323 1720


interface ethernet0 10baset

interface ethernet1 10baset

interface ethernet2 10baset

mtu outside 1500

mtu inside 1500

mtu prn 1500

ip address outside

ip address inside

ip address prn

global (outside) 1

global (prn) 1

nat (inside) 0 access-list 101

nat (inside) 1 0 0

static (inside,outside) netmask 0 0

static (inside,prn) netmask 0 0

conduit permit tcp host eq 443 any

conduit permit tcp host eq www any

conduit permit tcp host eq www any

conduit permit tcp host eq 443 any

route outside 1

conduit permit icmp any any echo-reply

Community Member

Re: PIX 520 with 3 Interface Cards

I think a route to is missing :

your default route is :

route outside 1

and you should also have a route through the prn interface.


CreatePlease to create content