Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Some problem with PIX

I could ping internet website through the PIX(6.3) with internal IP,but only some IP could do this... I check my pix's configuration and find out there are no limits on inside interface(PIX aloow access from high security level interface to low security level interface by default??)..So strange, could some one help me to find the problem??(cut...)

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521


access-list 101 permit ip host

access-list 102 permit ip host any

access-list 102 permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside *.*.*.*

ip address inside

ip audit info action alarm

ip audit attack action alarm

ip local pool normal

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

arp timeout 14400

global (outside) 1

nat (inside) 0 access-list 101

nat (inside) 1 0 0

conduit permit icmp any any

established tcp 135 0 permitto tcp 1024-65535 permitfrom tcp 0

route outside *.*.*.* 1

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server partnerauth protocol radius

aaa-server partnerauth (inside) host cisco123 timeout 10

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto ipsec transform-set oss1 esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client authentication partnerauth

crypto map mymap interface outside

crypto map transam 10 ipsec-isakmp

crypto map peer1 11 ipsec-isakmp

crypto map peer1 11 set peer

crypto map peer1 11 set transform-set oss1

isakmp enable outside

isakmp key ******** address netmask

isakmp identity address

isakmp nat-traversal 30

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup normal address-pool normal

vpngroup normal dns-server

vpngroup normal split-tunnel 101

vpngroup normal idle-time 1800

vpngroup normal password ********

console timeout 0

terminal width 80


: end

  • Other Security Subjects

Re: Some problem with PIX


Your config looks fine for outbound access. However, you have a class C on your inside interface, which is 200+ hosts, not even counting anything you may be routing through the pix (the 192.168 class B). However, your nat/global statements say that only 20 hosts can have outside access (and presumably internet access) at the same time:

global (outside) 1

Once 20 internal IP addresses are mapped to 20 external IP addresses, everyone else has to wait until a translation slot frees up.

try changing it to the following:

global (outside) 1

global (outside) 1

This means after the first 19 addresses are used by hosts needing translation, everyone else will use PAT - giving you 65000+ more translations for internet access. However, there are caveats when using PAT for some type of applications, make sure you look them up.

Check out this URL if you have any more questions. It explains everything you should need to know - assuming nat is your problem. :)


Don't forget to rate if it helps

New Member

Re: Some problem with PIX


Thanks a lot. Could you tell me how to free up the translation slot list when the address rangle was exhausted ??


Re: Some problem with PIX


the command

show xlate

will show you the translation slots.

the command

clear xlate

will clear them, but this is usually disruptive and any connections associated with those translations will go away.


Please rate if it's helpful.

This widget could not be displayed.