Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX Config problems.

So I am configuring my PIX 506E through PDM and am having problems getting the rules to work properly.

What I really need is an example config of how it should look, blocking in bound ports and some out bound ports. I have tried many variations and have yet to nail the config. RTFM, done it and it seems that the Manuel and the actual way it works is different.

Chances are that I am just missing something.

Any help on this is much appreciated.

Cisco Employee

Re: PIX Config problems.


You need to be specific for what you are looking for. There is alot of stuff, infact the entire configs that can be done with PDM. Basically the online guide is the only one available .

Let us know what rules you are saying you are having problems with.



New Member

Re: PIX Config problems.

Okay, sorry for not being more specific. I am setting the PIX up in a test lab, for the time being. Eventually it will be deployed to the Corp. network but we have testing to do first.

The Test: Set up the Firewall to allow normal connections out (http, FTP, PC-anywhere, etc...) and restrict access back in. after that I have to start blocking streaming media in, my web guys are going to try to hack it so they can get the media past most firewalls (our company lives off streaming media purchised by other companies and we have problems every now and then with their firewalls, thus the test).

After these tests, the PIX will serve as our company firewall with normal access to mail and what not (web-etc...)

I read through the manual and it seems I have everything set up right but it fails my tests (i.e. tested a block out-bound http port 80) yet the web traffic still gets through. (inside PIX) --> (corporate net) --> I-net.

Re: PIX Config problems.


could you please post the config of the pix and specify what is no working? Please remove the passwords and public ip addresses.

Please specify the protocols (tcp/udp/ports) that you need to allow.


New Member

Re: PIX Config problems.

Building configuration...

: Saved


PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname xxxxxx


clock timezone EST -5

clock summer-time EDT recurring

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521


name xxxxx

name ExternalGateway

object-group service allftp tcp

description this covers ftp and ftp-data ports.

port-object eq ftp

port-object eq ftp-data

access-list outside_access_in remark ICMP Allow.

access-list outside_access_in permit icmp any any

access-list outside_access_in deny ip any any

access-list inside_access_in deny tcp eq www any eq www

access-list inside_access_in permit ip any any

access-list inside_access_in remark AOL IM Allow

pager lines 24

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm location inside

pdm location outside

pdm location outside

pdm location outside

pdm location xxxxxxxxxx255.255.255.255 outside

pdm location ExternalGateway outside

pdm location inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

global (inside) 99 netmask

global (inside) 1

nat (inside) 0 0 0

nat (inside) 1 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside ExternalGateway 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http outside

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server outside /tftp/ppgc-nh

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

terminal width 80


: end


Okay, so this is weird. I looked through this config and I have rules there that are long gone...PDM doesn't show the AOL IM rule anymore...

See attached screen shot of PDM.

Note that I am simply trying to test how rules are set up so I can make my final config. I have tried several different variations of this but my interpretations of the manual say it is supposed to look like this:

New Member

Re: PIX Config problems.

Attached screen.

Re: PIX Config problems.


if something is in the config that is no longer visible in the PDM then I would recommend to reset the config. If you make changes to the configuration I would strongly recommend that you use only the PDM or only the Command Line Interface. Do not mix the PDM and the CLI. Some things you enter using the CLI may not be interpreted correctly by the PDM.

To reset the config:

write erase


Please connect a console cable after doing this. The pix will start the configuration wizard after the commands above.

Kind Regards,


CreatePlease login to create content