Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member


Hi there,

had a very strange problem somedays back, and i'm wondering if anyone can help. Went to a client's site to replace a PIX 501 with and existing PIX 501, but for some reason, i was unable to estable reachability via ping on the internet. I regenerated the rsa key, recreated ssh, saved and reloaded my config, but i still had the same issue. please find the show run output of pix:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname RLH-LANDMARK-pix


fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


name LANZ-access

name landmark-firewall

access-list 80 permit ip host

access-list 80 permit ip

access-list acom-traffic permit ip

access-list acl-out permit icmp any any

pager lines 24

logging on

logging buffered alerts

mtu outside 1500

mtu inside 1500

ip address outside xxx.xx

ip address inside

ip audit info action alarm

ip audit attack action alarm

ip local pool micros-fidelios

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 80

nat (inside) 1 0 0

access-group acl-out in interface outside

route outside 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set landmarkvpn esp-3des esp-md5-hmac

crypto ipsec transform-set vpnaccess esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set vpnaccess

crypto map vpnmap 1 ipsec-isakmp

crypto map vpnmap 1 match address acom-traffic

crypto map vpnmap 1 set peer landmark-firewall

crypto map vpnmap 1 set transform-set landmarkvpn

crypto map vpnmap 1 set security-association lifetime seconds 3600 kilobytes 24000

Community Member


second part:

crypto map vpnmap 10 ipsec-isakmp dynamic dynmap

crypto map vpnmap interface outside

isakmp enable outside

isakmp key ******** address landmark-firewall netmask

isakmp identity address

isakmp client configuration address-pool local micros-fidelios outside

isakmp nat-traversal 1500

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 5

isakmp policy 1 lifetime 19200

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption des

isakmp policy 2 hash md5

isakmp policy 2 group 2

isakmp policy 2 lifetime 86400

vpngroup micros-fidelios address-pool micros-fidelios

vpngroup micros-fidelios idle-time 1800

vpngroup micros-fidelios password ********

telnet inside

telnet inside

telnet inside

telnet timeout 5

ssh LANZ-access outside

ssh timeout 50

console timeout 0

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe auto

vpdn group 1 client configuration address local micros-fidelios

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username micros-fidelios password *********

vpdn enable outside

terminal width 80


: end

thanks in advance



Could you explain again what the problem is, I'm not sure what this means exactly.

" i was unable to estable reachability via ping on the internet"

Hall of Fame Super Blue



Do you mean ping through to the internal network or ping to the outside interface of the pix.

If you are trying to ping the outside interface you need the following statement in your config

icmp permit any outside

You can tie down the IP addresses that are able to ping by replacing the any with individual IP addresses. Your outside access-list allowing ip to any will still not allow you to ping the outside interface of the pix.

If you are trying to ping through could you let us know the source and destination of the ping.



Community Member


one of the most imp things... have you checked with the ISP whether there is any static ARP entry for firewall on router...besides this i dont see anything wrong with the configuration.

CreatePlease to create content