Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX firewall issue 525

Hello Guru’s,

I am siva from Melbourne.

After spending more than 3 hrs in troubleshooting the below problem, I conclude myself that I can’t fix it

I am running pix firewall 525 with software version Cisco PIX Firewall Version 6.3(4)

Cisco PIX Device Manager Version 2.1(1) with full license.

I have network setup where I need to route private IP address via my firewall outside interface.

The network setup is like this

I have Internet connection terminate at my collocation. One interface connection is to service provide Public IP and other Ethernet end is my private IP were we have point to point fibre link to my office , at my office it terminate to a private IP interface and other end to my pix firewall outside interface. I am using RIP at the router end to broadcast between two routers. My internet connection is working fine no problem with that. But accessing my internal network from those private IP address is the issue. From firewall inside interface I am able to reach those IP addresses. But from private IP address I am not able to reach my inside network via firewall outside interface.

Router at Collocation

Public IP : 203.X.X.X ( service provider IP)

Private IP : (My private IP segment)

Router at my office end:

Private IP: (My private IP terminate from fibre router)

Pubic IP: 202.X.X.X (provided by arpnic) and terminated to Firewall outside interface which has another public Ip address provided by arpnic.

Firewall inside interface:

From Firwall inside interface I am able to ping, but at the same time, I am not able to ping from, which ultimately it has to come via pix outside interface.

Let me know whether it is possible. If so what I need to add in access list to allow outside in. If possible please give me sample syntax format. Since I have tried various options with outside acl.

Thanks in advance for your help.



New Member

Re: PIX firewall issue 525


Please help me also I have place diagram here.



Re: PIX firewall issue 525

just wondering what exactly the issue is except that ping doesn't work.

New Member

Re: PIX firewall issue 525

Same here. I can ping from inside ( to outside ( but when I try to PING from to inside it is getting timeout from the firewall outside interface.

New Member

Re: PIX firewall issue 525

Does your firewall have a route to ?

How are you pinging from the firewall inside interface? ie. Are you issuing the ping command from the firewall itself, or from a device on the inside ( network?

Can you post your firewall config?

New Member

Re: PIX firewall issue 525

Yes I can ping from to and not from to via firewall outside interface. Sorry I can't place my config here as part of policy. Even the IP addresses are different than what I stated here. I hope you understand what I mean.

I have routing configured for pinging

New Member

Re: PIX firewall issue 525

What is the nat configuration? Are the addresses being natted to the outside interface address?

New Member

Re: PIX firewall issue 525

No nat is configured to outside interface. But inside interface is configured to DMZ-REMOTE

Below is the NAT entry.

static (inside,dmz-remote) SMH-Internal SMH-Internal netmask 0 0

New Member

Re: PIX firewall issue 525

Is the interface labelled dmz-remote the same interface that is called PIX outside in your diagram? If not, you need a static (inside,outside) SMH-Internal SMH-Internal command. Can you show us the rest of the natting commands? nat, global and static.

New Member

Re: PIX firewall issue 525

My PIX has eight interfaces. DMZ-Remote is different interface and it is not OUTSIDE interface. Also If I nat static (inside,outside) My whole network goes offline to connect to the external world.

Below is my NAT listing

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 0 SMH-virusscan 0 0

nat (inside) 0 SMH-pas 0 0

nat (inside) 0 SMH-mail-nic2 0 0

nat (inside) 0 SMHiba 0 0

nat (inside) 0 Carvevue_Prim 0 0

nat (inside) 0 SMHsqlr 0 0

nat (inside) 0 SMH-sqlv1 0 0

nat (inside) 0 SMHsqlv3 0 0

nat (inside) 0 SMH-mail 0 0

nat (inside) 0 SMH-sql 0 0

nat (inside) 0 SMH-filer 0 0

nat (inside) 0 SMH_paging 0 0

nat (inside) 0 pas-test 0 0

nat (inside) 10 0 0

nat (dmz-SMH) 0 SMH-xmail 0 0

nat (dmz-SMH) 0 SMH-web02 dns 0 0

nat (dmz-SMH) 0 SMH-cis 0 0

nat (dmz-SMH) 0 SMH-cbt 0 0

nat (dmz-SMH) 0 SMH-web01 0 0

nat (dmz-SMH) 0 SMH-web00 dns 0 0

nat (dmz-SMH) 0 oncology 0 0

nat (dmz-SMH) 0 ccbedstate 0 0

nat (dmz-SMH) 0 SMH-web03 0 0

New Member

Re: PIX firewall issue 525

few more nat

static (inside,dmz-remote) SMH-Internal SMH-Internal netmask 0 0

static (inside,dmz-remote) SVH-VLAN1-Public SVH-VLAN1-Public netmask 0 0

static (inside,dmz-remote) SVH-VLAN2-Public SVH-VLAN2-Public netmask 0 0

static (inside,dmz-remote) SVH-VLAN3-Public SVH-VLAN3-Public netmask 0 0

static (inside,dmz-remote) SVH-VLAN4-Public SVH-VLAN4-Public netmask 0 0

static (inside,dmz-remote) SVH-VLAN5-Public SVH-VLAN5-Public netmask 0 0

static (inside,dmz-remote) SVH-VLAN6-Public SVH-VLAN6-Public netmask 0 0

static (inside,dmz-remote) SVH-VLAN7-Public SVH-VLAN7-Public netmask 0 0

static (dmz-SMH,outside) switch-dmzSMH switch-dmzSMH netmask 0 0

static (inside,dmz-SMH) SMH-sqlv1 SMH-sqlv1 netmask 0 0

static (inside,dmz-SMH) SMH-sql SMH-sql netmask 0 0

static (inside,dmz-SMH) SMH-office1 SMH-office1 netmask 0 0

static (inside,dmz-SMH) SMH-sqlv2 SMH-sqlv2 netmask 0 0

static (inside,dmz-SMH) netman netman netmask 0 0

static (inside,dmz-SMH) SMHsqlv4 SMHsqlv4 netmask 0 0

static (dmz-SMH,outside) SMH-web01 SMH-web01 netmask 0 0

static (inside,dmz-vpn-internal) SMH-Internal SMH-Internal netmask 0 0

static (dmz-vpn-external,outside) SMHVPN01-Public SMHVPN01-Public netmask 0 0

static (inside,dmz-vpn-external) SMH-Internal SMH-Internal netmask 0 0

static (inside,dmz-SMH) SMHsqlr SMHsqlr netmask 0 0

static (inside,dmz-SMH) SMHsqlv3 SMHsqlv3 netmask 0 0

static (inside,dmz-SMH) SMH-virusscan SMH-virusscan netmask 0 0

static (inside,dmz-SMH) SMHiba SMHiba netmask 0 0

static (inside,dmz-SMH) SMH-dc1 SMH-dc1 netmask 0 0

static (inside,dmz-SMH) SMH-dc2 SMH-dc2 netmask 0 0

static (inside,dmz-SMH) SMH-citrixa SMH-citrixa netmask 0 0

static (inside,dmz-SMH) SMH-citrixb SMH-citrixb netmask 0 0

static (inside,dmz-SMH) SMH-citrixc SMH-citrixc netmask 0 0

static (inside,dmz-SMH) SMH-rsa01 SMH-rsa01 netmask 0 0

static (inside,dmz-SMH) SMH-citrixweb2 SMH-citrixweb2 netmask 0 0

static (inside,dmz-unimelb) SMH-Printsvr-PUB SMH-Printsvr netmask 0 0

static (inside,dmz-unimelb) Tierbase-PUB SMH-pas-s netmask 0 0

static (inside,dmz-remote) SVH_SGH SVH_SGH netmask 0 0

nat (dmz-SMH) 0 SMH-gw01 0 0

nat (dmz-SMH) 0 oncology-SMH-gw01 0 0

nat (dmz-SMH) 0 ccbedstate-SMH-gw01 0 0

nat (dmz-SMH) 0 SMH-citrixgw1 0 0

nat (dmz-remote) 0 LAN-BoorondCRC 0 0

nat (dmz-remote) 0 LAN-DarebinH 0 0

nat (dmz-remote) 0 LAN-Dandenong 0 0

nat (dmz-remote) 0 LAN-BarklaySt 0 0

nat (dmz-remote) 0 LAN-CambridgeH 0 0

nat (dmz-remote) 0 LAN-CambridgeCRC 0 0

nat (dmz-remote) 0 LAN-Hoppers 0 0

nat (dmz-remote) 0 LAN-RiversideH 0 0

nat (dmz-remote) 0 LAN-AuburnH 0 0

nat (dmz-remote) 0 LAN-MercyWerrib 0 0

nat (dmz-remote) 0 LAN-MercyEM192 0 0

nat (dmz-remote) 0 LAN-MercyEM128 0 0

nat (dmz-remote) 0 0

New Member

Re: PIX firewall issue 525

"Also If I nat static (inside,outside) My whole network goes offline to connect to the external world"

Yes, I should have remembered the outside world connectivity requirement :) It should have fixed the problem between the private addresses though (assuming the outside ACL is permitting the required traffic)?

Try the following:

access-list outside_nat0_inbound permit ip

nat (outside) 0 access-list outside_nat0_inbound outside

This tells the pix to exempt the traffic in that access-list from NAT. The 'outside' parameter is enabling 'outside NAT', also called bi-directional NAT.

The reason pinging to the outside is working is either because your inside_outbound_nat0_acl permits -> (which is exempting that traffic from NAT) or there is a global (outside) 10 interface (or similar) command, which is NATing the inside traffic to the outside interface address (or other other valid outside address).

New Member

Re: PIX firewall issue 525


I tried the above option , but still not working. But I can find access-list log hitcount increasing for every request time out packet.

Expecting your reply to fix this issue.

New Member

Re: PIX firewall issue 525

Which access-list has the hitcount increasing? ie. The nat0 ACL, outside ACL, inside ACL...

You will still need the appropriate entries in the ACL for inside and outside interfaces to allow the traffic.

New Member

Re: PIX firewall issue 525

access-list outside_nat0_inbound line 1 permit ip (hitcnt=5710)

This is the access list getting hit count.

CreatePlease to create content