Clients behind pix 501 cannot access internet

Posted on 2006-04-20
Last Modified: 2013-11-16

I have a very simple setup for my network as follow:

Internet <-- adsl <-- pix 501 <-- client. Where:

pix 501:
eth0 (outside) 68.x.x.130
eth1 (inside)


GW  68.x.x.134

I can ping the GW from pix console, but cannot ping DNS. The client cannot ping bot GW and DNS, but it can ping eth0 of pix 501.

My pix configuration:

show config

: Saved

: Written by admin at 13:31:43.717 UTC Thu Apr 20 2006

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxx encrypted
passwd xxxxxx encrypted
hostname pix501
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name 68.x.x.132 RDP
name 68.x.x.131 SSH
access-list 101 permit ip host SSH
access-list 101 permit ip host RDP
access-list acl_out permit ip any any
access-list acl_in permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 68.x.x.130
ip address inside
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm drop
ip audit attack action alarm drop
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list 101
nat (inside) 10 0 0
access-group acl_in in interface inside
route outside 68.x.x.130 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle esp-3des esp-sha-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set pfs group2
crypto map transam 1 set peer
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 28800
telnet timeout 5
ssh timeout 5
management-access outside
console timeout 0
dhcpd address inside
dhcpd dns
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain
dhcpd enable inside
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure            
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80

Clients attach to eth0 of pix 501 can not access internet or ping to internet. Any help will be appreciate.

Question by:arron9112003
    LVL 9

    Expert Comment

    First, you need to allow icmp to go through the PIX using an access-list and applying in on the outside interface of the PIX.


    access-list acl_out permit icmp any any
    access-group acl_out in interface outside

    From the PIX itself, can you ping ? is an IP on the internet. So if you can ping that, then that means the PIX itself can go to the internet.

    LVL 9

    Expert Comment

    Also, after you have added an access-rule on the outside interface. Try pinging from the PC behind the PIX as well. If this works, then try browsing by IP to see if it is a DNS issue. Try which is Cisco's home page.

    Author Comment


    I did add icmp access list as your suggest, but still can not ping either from the pix or internal host. Internal host also cannot access the homepage
    LVL 9

    Accepted Solution

    So it seems that the PIX itself cannot access the internet. I was looking at your config, I really can't tell from the config because you sanitized it but it seems that the PIX ip address on the outside interface and the default gateway configured is the same. Can you check on the following lines of your config.

    ip address outside 68.x.x.130
    route outside 68.x.x.130

    Check the above config and double check with your ISP if that is the correct setting.
    LVL 79

    Expert Comment

    Agree with sressedout2004 about the default route. You're pointing to your own IP address and you should be pointing to the ISP next-hop

    >access-group acl_in in interface inside
    Remove this acl from the inside interface. It is not necessary unless you want to restrict traffic. ALL traffic is allowed out by default, no acl necessary


    Author Comment

    Thanks stressedout2004, I have route to myseft instead of an ISP gateway. It works now after I change it to ISP gateway. Thanks for your help.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Suggested Solutions

    When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
    This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    25 Experts available now in Live!

    Get 1:1 Help Now