Cisco Support Community
Community Member

Pix506E Not Forwarding

I have a very simple problem. My Pix506e can ping everything on both sides of it, but my LAN side cannot get to anything on the WAN side of the PIX. I figured that my default route must be incorrect, but I followed the instructions correctly. Can someone please give me some advice on how to troubleshoot this please.

Thanks in advance,

Tripp Kuehnis

Just for your info on topology:

We have a Cisco Catalyst 3550 connected to the LAN port on the PIX 506E. We then have a Cisco Catalyst 2550 connected to the WAN port on the PIX. A Cisco 2950(I think - this router was put in by AT&T) is connected to a port on the Catalyst 2550 and gives access to the T-1 line.

Thanks Again!!

Community Member

Re: Pix506E Not Forwarding

Can you ping throught the Pix? Check the logs for incoming ICMP denies if you do not allow echo replies.

Are you using NAT on the Pix or is the router doing NAT for the network?

Really need to see the config!

Community Member

Re: Pix506E Not Forwarding

I cannot ping through the router, although I have allowed all Ping packets through. I am using NAT on the PIX, but the router is not.

Here is the config in a nutshell - I am typing it in myself so please forgive spelling errors or missing password entries

PIX version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password


hostname Firewall


fixup protocol ftp 21

fixup protocol http80 (There are a few other fixups here)


pager lines 24

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

nat (inside) 1 0 0

conduit permit icmp any any

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http inside

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal widtrh 80


; end


Re: Pix506E Not Forwarding

You need at least one of:

global (outside) 1


static (inside,outside) 192.168.168.x

for the firewall to allow inside hosts to establich connections to the outside.



Community Member

Re: Pix506E Not Forwarding

ICMP outbound will be permitted by default on the Pix, but reply packet must be permitted with the use of conduits or ACL's. You also will need to define static translation for any inside host requiring pings and traceroute.


Carlos Roque

CreatePlease to create content