Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


client behind pix 501 can not accesst internet

Posted on 2007-10-16
Medium Priority
Last Modified: 2010-04-09

I have very simple setup for the PIX (please see diagram and config file bellow), but it seems not working at all. The pix it self can ping to default getaway and also can ping to internet, but the client at can not ping out or have internet access. The client also can not ping eth0 interface of the pix too.

Eth1 and the client are in the same subnet and client must use public IP, eth0 is on different subnet. The IP has modified 2 mid bit.

Can any one give me advice on this?
Thanks in advanced

Netopia ADSL pure modem
PIX501 # eth0, eth1:
client #

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxx encrypted
passwd xxxxxxxx encrypted
hostname PIX
domain-name something
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list 100 permit icmp any any echo-reply
access-list acl_out permit icmp any any log
pager lines 24
logging on
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm location inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 0 0
access-group acl_out in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

Question by:arron9112003
  • 4
  • 4
LVL 79

Expert Comment

ID: 20088535
no nat (inside) 0 0 0
clear xlate
static (inside,outside) netmask

>route outside
The router that is the next hop needs a route back to the x.x.10.16 network. A cisco would look like this:
 ip route

Author Comment

ID: 20088608
Thankyour for fast respond but this command return error ...
> ip route
Invalid keyword:  "route"

I'm a Cisco dummies ;-)
LVL 79

Expert Comment

ID: 20088695
Are you in config mode on the router?
router#config t
router(config)#ip route
router#write mem
Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.


Author Comment

ID: 20088724
Yes, i'm in (config)# mode and run that command, but it not happy.

PIX(config)# ip route
Invalid keyword:  "route"
Usage:  [no] ip address <if_name> <ip_address> [<mask>]
        [no] ip address <if_name> <ip_address> <mask> pppoe [setroute]
        [no] ip address <if_name> dhcp [setroute] [retry <retry_cnt>]
        [no] ip address <if_name> pppoe [setroute]
        ip local pool <poolname> <ip1>[-<ip2>] [mask <mask>]
        ip verify reverse-path interface <if_name>
        ip audit {info|attack} action [alarm] [drop] [reset]
        ip audit name <audit_name> {info|attack} [action [alarm] [drop] [reset]]

        ip audit interface <if_name> <audit_name>
        ip audit signature <sig_number> disable
        show|clear ip audit count [global] [interface <interface>]
        show ip [address [<if_name> [pppoe|dhcp [lease|server]]]]
LVL 79

Expert Comment

ID: 20088798
Not on the PIX, on the router out in front of the PIX..

Author Comment

ID: 20089536
uhh.... the pix connect direct to internet using a pure ADSL modem, I don't have access to any thing beyond ADSL modem.
LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 20089570
Well, then the modem, or whatever is the next hop needs a route back to your pix outside IP for the inside network if you don't use nat.
Try this:

no static (inside,outside) netmask
clear xlate
global (outside) 1 interface
nat (inside) 1 0 0 0

Author Comment

ID: 20089588

nat (inside) 1 0 0 0 does it. It work now, Thanks alot for your advise.


Expert Comment

ID: 20089605
the Pix is a NAT device so typically you would want to give your client a private IP address. is a public IP address and most likely assigned to someone else unless it is in the range you DSL company gave you. Your best bet would be to set up you network something like this:

Netopia ADSL pure modem
PIX501 # eth0, eth1:
client #

you will need to enter these commands into the pix

no nat (inside) 0 0 0 (if you havent already)
nat (inside) 1
ip address inside
static (inside,outside) netmask
no http inside
http inside

This assumes that your DSL provider gave you the IP range you have assigned to your outside interface. People connecting to will automatically be forwarded to your client.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month15 days, 7 hours left to enroll

575 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question