Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

pix520 and version 6.3(2)

I have succussfully to configure the PIX-520 firewall with the version 6.3(1).

My Network is like this.

There are 4 servers with public IP inside the DMZ zone, and I use the static command to let the servers inside the DMZ zone, can be accessed by the internet user(application)

The statement like

static (dmz,outside) x.x.x.176 x.x.x.176




static (dmz,outside) x.x.x.179 x.x.x.179

and use the access-list acl_out and acl_dmz to control set the security rules.

At last bind the Access-list to the outside interface and dmz interface:

access-group acl_out in interface outside

access-group acl_dmz in interface dmz

By doing this in Version 6.3(1), the firewall suuceed to allow the specified Host IP outside to access the Specified IP/port inside.

but in the case of version 6.3(2), I can not access the server inside the firewall.

I wonder is it becuase the version 6.3(2) need to be implicitly specify some thing wich I did not do.

Hope to get help.



  • Other Security Subjects
Cisco Employee

Re: pix520 and version 6.3(2)

There shouldn't be any difference between 6.3(1) and 6.3(2) as far as statics and ACL's go.

Kep in mind that 6.3(2) has been deferred and pulled from CCO because of a bug with it not keeping "nat 0" statements in its configuration, so after two reboots on 6.3(2) with nat 0 you would lose this command and probably cause problems on your network.

For this reason, I would not bother trying to figure this out and just stick with 6.3(1) until 6.3(3) is released shortly (no definate time frame as yet).

New Member

Re: pix520 and version 6.3(2)

Thanks for you suggetion, and I did not use NAT in the configuration, do you still think this may caused the problem? I in the access-list I have such 2 lines:

access-list pcl_out pemit icmp any any

access-iist pcl_in permit icmp any any.

I can not ping from the outside world to the server inside the firewall, is it due to that bug.

I may need to down grade my firewall back to 6.3(1), what a disaster. BTW, could you please give me some clue on how to get the 6.3(1) and can I use tftp to downgrade the software.

Thanks so much for you help.

John Li

New Member

Re: pix520 and version 6.3(2)

I decide to downgrade my pix version back to 6.3(1), but I wouder how could I find this binary imagine? Can I use TFTP server to change the software?

Thanks so much

New Member

Re: pix520 and version 6.3(2)


I have tested the firewall, and find it works now. I don't know what happened. Is it because of this version of the Software is not steadiable or beuase the hardware is not steadable. Do you still suggest me to downgrade the software version.

And could you please provide me the software 6.3(1) binary imagine file?

Your reply is highly appreciated!