Learn how to a build a cloud-first strategyRegister Now


Cisco PIX 525 firewall configuration query

Posted on 2009-05-14
Medium Priority
Last Modified: 2012-05-07
I am attempting to setup a simple configuration on a Cisco PIX 525 firewall.

For whatever reason I cannot seem to get traffic to pass from the inside network to the internet.
starting from a blank firewall we have configured the inside interface and enabled ASDM on the internal network.  The rest of the configuration was carried out through ASDM configure the outide interface and allow all traffic from the internal network outbound.

However when we attempt to connect to any resource on the internet we fail to connect.
Logging shows the connections being created to the correct destination.

If we ping the default gateway from the internal network we get no response.  If we ping the default gateway from a console session on the firewall we get a response.  If we ping an internet address from the console seeion we also get a response.

Have I missed something obvious or should this configuration work?

Here is the configuration
: Saved
PIX Version 7.2(4)
hostname gw-test
domain-name exact3ex.co.uk
enable password .xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxx encrypted
interface Ethernet0
 nameif outside
 security-level 0
 ip address
interface Ethernet1
 nameif inside
 security-level 100
 ip address
interface GigabitEthernet0
 no nameif
 no security-level
 no ip address
ftp mode passive
dns server-group DefaultDNS
 domain-name exact3ex.co.uk
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
monitor-interface outside
monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 101 netmask
nat (inside) 101
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
prompt hostname context
: end
asdm image flash:/asdm
no asdm history enable
Question by:vodyanoi
  • 2
LVL 15

Expert Comment

ID: 24389559
question- can your workstations ping the inside interface of the pix?
how is  your default gateway of your internal network configured? Do your network switches point to the inside interface of the pix, i.e

ip route (or similar command depending on type of switch)

check your default gateways, as you state the inside of the asa can reach the internet, but the hosts cannot

by default, all inbound traffic is allowed out unless prevented by outbound access list.
Also, is the internal lan just a network, or are there other networks?
If so, then you need static route statements in the pix

Expert Comment

ID: 24391861
you also need a nat access-list so that firewall knows what to translate. add the following to your config.

access-list NONAT permit ip
nat (inside) 0 access-list NONAT

the reason you can;t ping the internal interface is the firewall is routing it out to the internet. once you apply the two able lines of config it will work like a dream.

Author Comment

ID: 24393309

Reading back through my post I realise I didn't make the situation completely clear.
So I will try again.
Internal network is just - default gateway is ( inside interface of the firewall )
My workstaion can ping the inside interface of the firewall
It cannot ping the outside interface of the firewall or anything beyond it. When I was talking about the default gateway I meant the public gateway as seen from the firewall ( )
apologies for any confusion this may have caused


Accepted Solution

ksims1129 earned 500 total points
ID: 24394289
this will fix the ability for traffic to traverse the firewall.

access-list NONAT permit ip
nat (inside) 0 access-list NONAT

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month21 days, 1 hour left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question