Clients behind pix 501 cannot access internet


I have a very simple setup for my network as follow:

Internet <-- adsl <-- pix 501 <-- client. Where:

pix 501:
eth0 (outside) 68.x.x.130
eth1 (inside)


GW  68.x.x.134

I can ping the GW from pix console, but cannot ping DNS. The client cannot ping bot GW and DNS, but it can ping eth0 of pix 501.

My pix configuration:

show config

: Saved

: Written by admin at 13:31:43.717 UTC Thu Apr 20 2006

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxx encrypted
passwd xxxxxx encrypted
hostname pix501
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name 68.x.x.132 RDP
name 68.x.x.131 SSH
access-list 101 permit ip host SSH
access-list 101 permit ip host RDP
access-list acl_out permit ip any any
access-list acl_in permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 68.x.x.130
ip address inside
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm drop
ip audit attack action alarm drop
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list 101
nat (inside) 10 0 0
access-group acl_in in interface inside
route outside 68.x.x.130 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle esp-3des esp-sha-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set pfs group2
crypto map transam 1 set peer
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 28800
telnet timeout 5
ssh timeout 5
management-access outside
console timeout 0
dhcpd address inside
dhcpd dns
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain
dhcpd enable inside
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure            
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80

Clients attach to eth0 of pix 501 can not access internet or ping to internet. Any help will be appreciate.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

First, you need to allow icmp to go through the PIX using an access-list and applying in on the outside interface of the PIX.


access-list acl_out permit icmp any any
access-group acl_out in interface outside

From the PIX itself, can you ping ? is an IP on the internet. So if you can ping that, then that means the PIX itself can go to the internet.

Also, after you have added an access-rule on the outside interface. Try pinging from the PC behind the PIX as well. If this works, then try browsing by IP to see if it is a DNS issue. Try which is Cisco's home page.
arron9112003Author Commented:

I did add icmp access list as your suggest, but still can not ping either from the pix or internal host. Internal host also cannot access the homepage
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

So it seems that the PIX itself cannot access the internet. I was looking at your config, I really can't tell from the config because you sanitized it but it seems that the PIX ip address on the outside interface and the default gateway configured is the same. Can you check on the following lines of your config.

ip address outside 68.x.x.130
route outside 68.x.x.130

Check the above config and double check with your ISP if that is the correct setting.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Agree with sressedout2004 about the default route. You're pointing to your own IP address and you should be pointing to the ISP next-hop

>access-group acl_in in interface inside
Remove this acl from the inside interface. It is not necessary unless you want to restrict traffic. ALL traffic is allowed out by default, no acl necessary

arron9112003Author Commented:
Thanks stressedout2004, I have route to myseft instead of an ISP gateway. It works now after I change it to ISP gateway. Thanks for your help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.