Cisco Support Community
Community Member

PIx Configuration

I am just started to configure the PIX Firewall.

But I am in confusion.

Here is the conf file.

PIX Version 6.2(2)

nameif ethernet0 backbone_251 security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

nameif ethernet3 intf3 security15

nameif ethernet4 intf4 security20

nameif ethernet5 intf5 security25

hostname dmg-fw


access-list 101 permit icmp any any

acess-list 110 permit tcp host host eq smtp

access-list 111 permit tcp host host eq smtp

access-list 111 permit tcp host host eq smtp

interface ethernet0 10baset

interface ethernet1 10baset

interface ethernet2 10baset

interface ethernet3 10baset

interface ethernet4 10baset shutdown

interface ethernet5 10baset shutdown

mtu backbone_251 1500

ip address backbone_251

ip address inside

ip address intf2

ip address intf3

ip address intf4

ip address intf5

nat (inside) 0 0 0

static (intf3,backbone_251) netmask 0 0

static (intf3,intf2) netmask 0 0

static (intf2,backbone_251) netmask 0 0

static (inside,intf2) netmask 0 0

static (inside,intf3) netmask 0 0

access-group 101 in interface backbone_251

access-group 111 in interface intf2

access-group 110 in interface intf3

route backbone_251 1

But as soon as I apply the 110 in interface intf3

It obey the rule

cess-list 110 permit tcp host host eq smtp

But it close the connection to lower interface.For example I can not Browse from intf3.Now should I add the access-list to permit in lower interface??

Please help me


Community Member

Re: PIx Configuration

Hi Ishwar,

To your question, yes, you must configure access-list to lower interface. At the moment, you use access-list on an interface, you must specify all rules to permit/deny any traffic passing through this interface.


Community Member

Re: PIx Configuration

Hi Ben,

Thanks a lot.

Now is there any way to configure PIX that

It does not affect the default behavior when I apply the rule to access in higher interface so that I do not have to add long access-list again.


Community Member

Re: PIx Configuration

Unfortunately, ACL affects default behavior. Then, you use it or not. But, since your access-list only apply to SMTP servers between inside and DMZ, you can use "NAT 0 access-list id" between those servers. The "NAT 0 access-list id" is apply to inside interface and leaves incoming or outgoing traffics that match the access-list specified. That way, i suppose you can simply remove your ACL 110 applied to int3, to keep default behavior (browsing), and permit traffics between your SMTP servers.

Hope this help


CreatePlease to create content