Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX Firewall configuration

Dear All,

I need to have your suggestion on the following issue.

I have pix firewall installed.The inside interface address is /24

This pix inside is connected to the outside interface of ISA server. The ISA inside connected to the router eth0 interface. (ISA-Inside)- (router eth0)

The problem is I can ping all the lower interface ip being in network i.e pix inside network, but I can not ping the same lower interfaces from the network which is behind ISA Firewall.Please note that the ISA act as brige all the ports are opened both in & out.

I used NAT (inside 0 0 0 0 0

also NAT (inside) 0 access-list no-nat with

access-list no-nat permit ip 172.18.10 any ---> NAT EXEMPTION


Please reply asasp.



  • Other Security Subjects

Re: PIX Firewall configuration

you mentioned, "but I can not ping the same lower interfaces from the network". just wondering if you are referring to the subnet that connected to the pix outside interface.

if so, then inbound acl is required for echo response on the pix. the reason being pix by default doesn't perform stateful inspection on icmp.

e.g. one way is to configure inbound acl

access-list 100 permit icmp any any eq echo-reply

access-group 100 in interface outside

New Member

Re: PIX Firewall configuration


The network is behind ISA server. I can explain that the ISA server is between the PIX firewall and the network. ISA inside NIC connected to the network and the ISA server outsdie NIC connected to the PIX Inside network that is other PIX's interfaces are DMZ1, DMZ2, DMZ3.We can ping all the dmzs from not from

In the pix firewall all high to lower interfaces are configured with identity NAT (NAT 0 )

Please help me



Re: PIX Firewall configuration

just wondering if there is a route pointing to isa for the subnet on the pix.

e.g. with the current pix config,

route inside

New Member

Re: PIX Firewall configuration

I had something like this happen to us. Are you maybe missing a route statement. Even though you may have an access-list, you will still need a route statement.


Re: PIX Firewall configuration

just wondering how you go.