troubleshooting Question

Configuring PIX 515E with single static WAN address and internal CIDR block

Avatar of jmanstream
jmanstream asked on
Hardware FirewallsCisco
3 Comments1 Solution712 ViewsLast Modified:
I am in desperate need of help with my PIX 515 firewall. I am trying to configure it for use with my Cox Business Internet service. They have assigned me a single static public IP address with an internal CIDR block. I was able to successfully configure it with the WAN IP address on the outside interface and the first usable IP address of the CIDR as the gateway on my inside interface, but I cant seem to figure out how to allow outside access into my internal CIDR network. I am able to ping the outside interface from a remote server but cannot reach the inside interface.

I have a Linksys router with its WAN address specified as one of the CIDR block addresses, so I can have the rest of my LAN, which doesn't need to be publicly accessible, configured on a subnet. The machines behind the Linksys have no problem getting out to the Internet. I also have one test server (not behind the Linksys), configured with one of the CIDR block usable addresses. That server is also able to get out to the Internet without issue.

But, when I try to ping the internal server or connect to the web server/ftp server from the outside, I get nothing. I think I have configured everything correctly on the PIX as far as the access lists, but, I am definitely NO Cisco expert. Its probably something really stupid that Im missing but I cant seem to find any examples on how to do this properly.

Here is my current config...

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password ****** encrypted
passwd ****** encrypted
hostname pix515
domain-name tobias
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list outside_access_in permit udp any any eq ntp
access-list outside_access_in permit tcp any host x.y.z.93 eq www
access-list outside_access_in permit tcp any host x.y.z.93 eq ftp
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in permit icmp any any echo-reply
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside a.b.c.143
ip address inside x.y.z.81
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
access-group outside_access_in in interface outside
route outside a.b.c.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server source outside prefer
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet x.y.z.80 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

Where a.b.c.143 /27 is the WAN address with a.b.c.129 as its default gateway. x.y.z.80 /28 is the CIDR block. I am using z.y.z.81 as the internal default gateway.

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 3 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros