NAT on cisco pix

Posted on 2007-10-09
Last Modified: 2010-04-09
Hi there,

I am using a CISCO pix 506E as a firewall between a dsl router and my LAN, I would like to get out the the internet using a PC inside the LAN, the problem is; I can't ping the outside interface of the firewall from the PC I can only ping the inside interface. I guess I need to setup NAT? Can someone one help?


Here's the conf

IX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list inside_access_in permit icmp any any echo-reply log
access-list inside_access_in permit tcp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
access-group inside_access_in in interface inside
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80
Question by:aaresearch
    LVL 79

    Accepted Solution

    >I can't ping the outside interface of the firewall from the PC
    Correct, and you never will. This is a design "feature" of the PIX.

    What you don't have is a default route out...
     route outside

    And you can remove the acl from the interface
      no access-group inside_access_in in interface inside

    You have restricted outgoing traffic to tcp only, where DNS uses udp and so you have effectively blocked dns. Default behavior is to allow all outgoing traffic without an acl applied.
    If you want to be able to ping hosts on the outside, add this:
     access-list icmp_in permit icmp any any echo-reply
     access-group icmp_in in interface outside


    Author Comment

    Thanks for the comment Irmoore, I added those command and still can't ping the router from the inside host any idea? Thanks
    LVL 79

    Expert Comment

    I would suggest putting the router in bridge mode and let the PIX get the public IP, but you should be able to get out. What is the router's IP supposed to be? That is the IP that you should use as the route outside.
    Can you ping the router from the PIX itself?

    Author Comment

    I had to add this command
    global (outside) 1 netmask
    it works now, thanks
    LVL 79

    Expert Comment

    You should not have had to add that because you already have this, and it is all you need:
     global (outside) 1 interface

    Author Comment

    I think that did not work because it included the interface IP, may be it's was something else then.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
    This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now