Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX OS version 6.3(1) bug?

I have been looking for a definite answer to whether there is a bug that will not allow my PIX 501 with 6.3(1) to use dynamic and static PAT at the same time. The problem I have is this: I'm setting up a PIX on a PPPoE dsl connection with a web server behind it. I can get dynamic PAT to work to allow all inside hosts to access the internet. I can get static PAT to allow outside access to the web server. I cannot get both to work at the same time. I am a MCSE but am new to Cisco/PIX.

In reading some posts, I saw a reference to a bug that affects this. I have seen other posts that seem to indicate I should be able to do this sucessfully. When I had it set up, I could access the web server from the outside, but only the web server could access the internet. Any suggestions? I have been using the quick start instructions that came with the PIX.

Cisco Employee

Re: PIX OS version 6.3(1) bug?

Should work fine, you should have the following:

nat (inside) 1

global (outside) 1 interface

static (inside,outside) tcp interface 80 80 netmask

access-list inbound permit tcp any interface outside eq www

access-group inbound in interface outside

New Member

Re: PIX OS version 6.3(1) bug?

I have the exact commands in my pix and I have the exact problem. My Mail Server can recieve port 25 coming inbound but cannot get outbound at all.

Re: PIX OS version 6.3(1) bug?

Sounds to me like a common config issue seen when doing port redirection. Can you share your config with us for review? Remember to change public IP addresses (to something consistent please) and blank your passwords.


New Member

Re: PIX OS version 6.3(1) bug?

Here is the config I was testing with. Basically the Mail server is the one that cannot get out to the internet in this config but all other machines can.

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXX encrypted

passwd XXX encrypted

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list inbound permit icmp any any

access-list inbound permit tcp any interface outside eq smtp

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside X.X.X.X

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0 0

static (inside,outside) tcp interface smtp smtp netmask 0 0

access-group inbound in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80


Re: PIX OS version 6.3(1) bug?


Have you got any syslog messages that you can post to us please. If haven't then do the following (in config mode):

logging on

logging buffer debug

sh log

Please post the results, thanks.


New Member

Re: PIX OS version 6.3(1) bug?

Well the wierd thing is I was booting all my test gear up to get the logs and it looks like everything is working now. Not sure if it needed a good reboot or clear xlate but I am able to access the internet from the mail server as well as recieve inbound ports......hmmmm

Re: PIX OS version 6.3(1) bug?

Cool. I was out of the office for a while but I did look at the config and you should be fine. Most people don't realize that a port static only works for packets *sourced* from that port. So, when trying to open a web browser on the mail server where you have a port static configured will not work becuase the packets from the mail server (in this case) are not *sourced* from port 25. You need to have a corresponding nat and global statement for the web browsing to work. Not sure how clear this is but your config is fine. I am guessing you may have been running into a known issue regarding statics and arp in the 6.3 code. Glad you got it fixed.