Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX Configuration/Routing Problem

I work for a local ISP and am putting in a PIX firewall for the first time. It is going to go between the router on our backbone and a PC setup as a router. We got a small hub and my plan is to have the Ethernet address on the backbone router changed to and then the outside interface on the PIX to and plug those into the hub. The inside interface will go to our LAN in the office. The router in the office has an IP address of, but actually has a real IP but kept out for security reasons. (as well as the inside interface on the PIX) I am having a hard time understanding exactly how the PIX routes, we tried it with the configuration that is shown and it didnt work. I am sure i have several issues wrong with the config. Any help would be great! Thanks.

: Saved


PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

nameif ethernet3 intf3 security15

nameif ethernet4 intf4 security20

nameif ethernet5 intf5 security25

enable password Vc5SuIC5HTy5.dBK encrypted

passwd 2KFQnbNIdI.2KYOU encrypted


fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside

ip address inside

ip address intf2

ip address intf3

ip address intf4

ip address intf5

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside

failover ip address inside

failover ip address intf2

failover ip address intf3

failover ip address intf4

failover ip address intf5

pdm history enable

arp timeout 14400

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80


: end


Re: PIX Configuration/Routing Problem

I don't see any "static" or "nat" statements on the configurations above.

For traffic to pass thru the pix you need to either:

a) enable NAT.; or

b) use static ip address mapping.

Note that with NAT enabled, you can still preserve the ip address by NAT'ing an ip address to itself (it sounds crazy, but it works).

I'd suggest that you enable NAT as follows:

global (outside) 1 10.10.10.x

nat (inside) 1 0 0

this way traffic will pass thru the pix and all inside hosts will share a single "ouside" ip address of 10.10.10.x

Also you might want to point the default route to the ouside interface:

instead of

route inside 1


route outside x.x.x.x

where x.x.x.x is the your internet gateway ip address assuming that private-to-public ip address translation is done along the path.



New Member

Re: PIX Configuration/Routing Problem

that inside route is supposed to say I really dont want to have to use NAT seeing as the inside network is already done with real IP's, that would be a lot of changing.


Re: PIX Configuration/Routing Problem

You can still do that (preserve the real ip's - no translation) by using "nat 0" statement:

nat (inside) 0

static (inside, outside) netmask

These two statements will allow 192.168.1.x hosts to establish connections to the outside thru pix (outside hosts can not establish connections to inside without proper access-lists).

Remember to use the "clear xlat" everytime you issue or modify an "static" statement (carefull: the command is disruptive to established connections).

New Member

Re: PIX Configuration/Routing Problem

There are several servers behind the PIX and people who dial-in will need to get through the pix for authentication. Would i just set up a simple access-list that i would do on a normal router?


Re: PIX Configuration/Routing Problem

The access-lists are similar to IOS routers'.

e.g: an access for inbound connections


access-list inbound_stuff permit tcp any host eq ftp

access-list inbound_stuff permit tcp any host eq www

access-list inbound_stuff permit tcp any host eq 100

access-list inbound_stuff permit icmp any any eq echo

access-list inbound_stuff permit icmp any any eq echo-reply

access-list inbound_stuff permit ip any host

access-group inbound_stuff in interface outside


The first 3 statements allow access to specific services and ports on some inside servers. Statements 4&5 allow outside hosts to ping any inside host. Statement 6 allows full access to (no firewalling - fixup rules apply)

The last statement applies the access list to inbound connections arriving at the outside interface.

I'd recommend going thru the pix command reference:

Also, PIX version 6.2 introduced object grouping

which - along with PDM software - greatly enhance access control configurations.

CreatePlease to create content