Cisco PIX 506 Help!! workstations can not access internet?

Posted on 2007-10-18
Last Modified: 2010-04-09
Recently purchased a used Cisco PIX 506 , ver 6.3(5), I have reset it to factory defaults and followed the recommanded settings from Cisco, now I have some issues.

Our network is setup like this

T1 Router <-- PIX --> Network Switch -> Server, workstations

PIX has a outside IP of 216.xx.xx.2
PIX has a inside IP of

the server is setup to DHCP and has a internal IP of ,  workstations obtain the IP from the server.

because the server is also a web server, i have set up static route to foward www traffic to the server.

everything works fine on the server, and I can access the server from the public too.

however, none of the workstations are able to access the internet.

I can ping to the server and the PIX from workstation, but can not ping to any outside IP.

what command should I use to allow outbound traffic from workstations?  

Question by:mike2016
    LVL 19

    Accepted Solution


    As you already have access working to the translated server - you have got a working access-list on the outside interface.  So just add the following lines to the acl - replacing "fromoutside" with the name of your acl:
    access-list fromoutside permit icmp any any echo-reply
    access-list fromoutside permit icmp any any unreachable
    access-list fromoutside permit icmp any any time-exceeded

    this will allow icmp (ping) packets back in so you can ping websites etc

    LVL 79

    Assisted Solution

    It might be in your static statement.

    NOT OK where static nat maps to same ip as gobal:
     global (outside) 1 216.xx.xx.2
     nat (inside) 1 0 0 0
     static (inside,outside) 216.xx.xx.2 netmask

    OK using interface keyword and port specific nat where MX record = same ip as assigned to interface:
     global (outside) 1 interface
     nat (inside) 1 0 0 0
     static (inside,outside) tcp interface 25 25 netmask

    Author Comment

    thanks for the replies!  i will try that after work hours ...

    one thing i was thinking though,  the way I connected the cables is like this

    all devices ( T1 router, server, workstations) are connected to the same switch ,  i had to do this because I don't have a 25ft long cross over cable to connect the T1 router to the firewall...
    LVL 19

    Assisted Solution

    If they are not seperated by vlans on the switch then you are leaving the internal LAN open to attack on the internet as the firewall is not protecting them.
    Ensure you segregate the connections so that Public and Private network are seperate and the firewall is the junction point.

    T1 router > firewall > Inside LAN > servers/workstations.


    Author Comment

    Omg its good I asked that.... okay i'll seperate them right away.  

    will try the access-list commands after work to confirm the progress!  thanks again.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
    Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now