Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Pix configuration

I reelly need some help , I could not resolve with my self.

I am connect a Cisco 3620 Router to the Internet, and I am getting IP address.

Pix 515 is also connected to the Router in one side and to a switch on the other side:


My problem is that ,my Pc could not make a connection to The internet:

I have tried NAT, Global , and access-list , and I could not solved.

Did any body show me the right site , or give me configuration which works.


New Member

Re: Pix configuration

Hi Said,

Here is basically what you need

Nat (inside) 1

Global (outside) 1 x.x.x.x (Public IP address or outside interface of Pix IP address)

Can you submit your config without private info?



New Member

Re: Pix configuration


It `s very nice to get a answer.Here are my config:

pixfirewall(config)# sh conf

: Saved

: Written by enable_15 at 02:03:12.574 UTC Tue Oct 22 2002

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password ( password is removed )

passwd ( password is removed )

hostname pixfirewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


pager lines 24

logging on

logging buffered errors

logging trap notifications

interface ethernet0 100basetx

interface ethernet1 100basetx

interface ethernet2 auto shutdown

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside dhcp

ip address inside

ip address intf2

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media


timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

<--- More --->

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

dhcpd lease 3000

dhcpd ping_timeout 750

dhcpd domain

dhcpd auto_config outside

terminal width 80



Did`nt I need to apply en access-list from outside to inside of PIx???

Could you make changes in my config , so I can try yours configuration



Cisco Employee

Re: Pix configuration


To go from a higher security interface to a lower (inside to outside), you need a nat/global pair. Add the following to your config and see how you go:

nat (inside) 1

global (outside) 1 interface

This will NAT everything on the inside to your outside interface's IP address. You should be able to get out now. You don't specifically need an access-list since the PIX will automatically allow the returning traffic back in.

If you want traffic to originate from the outside and come inot your network, then you need a static and an access-list.

PIX command reference is here:

New Member

Re: Pix configuration

Hi Glenn Fullager.

If I understind you , if I want to trafikk from inside to inside:

nat ( inside)

global ( outside) 1 interface ( not ip outside ip address: )

Traffikk back is automatically allowed.

originated Traffikk from trafikk to my LAN:

static ( outside,inside ) x.x.x.x ,

access-list 110 permit tcp any any eq www.

access-group 110 in interface outside.

Is that correct confiuration static and access-list.


New Member

Re: Pix configuration

Hi Said,

To recap this post:

Add this to your config for internal users to access Internet resources:

nat (inside) 1

global (outside) 1 interface - This will translate all of your internal IP addresses using the IP address of the outside interface. Return traffic is allowed back without further configuration.

Let's say you have a web server on your inside LAN at IP - Add this to your config to allow users from the Internet to access your web server.

Static (inside,outside) x.x.x.x netmask ( x.x.x.x is an IP address on your outside subnet.)

access-list 110 permit tcp any host eq www

access-group 110 in interface outside

Hope this helps.


New Member

Re: Pix configuration


Hope the config worked. If it did'nt still work try replacing this:

ip address outside dhcp


ip address outside x.x.x.x y.y.y.y

Best regards / Sampath

New Member

Re: Pix configuration


It`s works when I use only PIx , directed connected to Internet like this :


config # ip address outside dhcp.

config#nat 1 0 0

config #global 1 interface ( Outside interface is PAT )

config#route x.x.x.x ( x.x.x.x is default gateway of ISP)

But when I connect like this:


I could not use this configuration:

config#nat 1 0 0

config #global 1 interface ( outside interface is )

config#route x.x.x.x ( x.x.x.x is default gateway of ISP)

Interne Ip address of Router and outside ip address of PIx are working is

Is that because my outside interface ( PIX ) have a non routable ip address , so my LAN could not connect to Internet ????


It`s have nothing to with global:

config#global 1 interface

config#global 1



New Member

Re: Pix configuration

Hi Said,

If you can connect directly to the Internet with your PIX, what are you using as the bridging device to translate your line to Ethernet? (e.g. DSL line - you would need a DSL modem/router to bridge the phone line to ethernet.) Is your network at a colocation facility.? You would be able to directly connect your PIX in that situation. If that is the case, you do not even need your router.

In regards to your question about the outside PIX interface being an RFC 1918 address, you are correct about needing it to be a valid public IP address.

2 questions:

1. When you connect directly to the Internet with the PIX, is the outside interface of the PIX If it is, your ISP should be doing some natting. If not, it will probably work but you are not supposed to route any 192.168.x.x address on the Internet and a lot of sites will block your traffic.

2. How is your network connected to the ISP - T1,DSL, ISDN?



New Member

Re: Pix configuration


I am sorry for this late, I was out of Internet.

With you help I have managed to to configure my PIX and Router correctly.

Internet---Router---PIX---LAN and everything is well done. But Outside users cannnot make a connection with my LAN.

Is that I need to configure my Pix with static ,and conduit or I have to use access-list ??

Answering to your question , I am using Cable , 700/250 dow/uplo.


New Member

Re: Pix configuration

Dear Fellow

In order to make your inside servers accessible to the outside network for a specific traffic you have to make use of both static commands and access lists.

Static command will statically map the inside address with the corresponding outside ip Address and that is called as static nating.

Acccess lists will allow only specific traffic to hit your server, so that outside world can have only http communication (for example) with your inside webserver and nothing else.


Tahir Khan

Network Engineer

Sigma Systems International.

New Member

Re: Pix configuration

HI ,

Kindly have a look at the caveats for cisco PIX 515.

If you have a pc which has a mac address starting with 00 -08 pix cannot communicate with it. This is a unresolved caveat

Give it a shot

your requirements are relatively simple

I hope you have put a access-group command to bind the access list to the interface


Cisco Employee

Re: Pix configuration

This bug (CSCdt47829) is fixed in the following minimum versions:

6.1(4), 6.0(4) and 6.2(1)

CreatePlease to create content