Configuring PIX 515E with single static WAN address and internal CIDR block

Posted on 2009-12-17
Last Modified: 2012-05-08
I am in desperate need of help with my PIX 515 firewall. I am trying to configure it for use with my Cox Business Internet service. They have assigned me a single static public IP address with an internal CIDR block. I was able to successfully configure it with the WAN IP address on the outside interface and the first usable IP address of the CIDR as the gateway on my inside interface, but I cant seem to figure out how to allow outside access into my internal CIDR network. I am able to ping the outside interface from a remote server but cannot reach the inside interface.

I have a Linksys router with its WAN address specified as one of the CIDR block addresses, so I can have the rest of my LAN, which doesn't need to be publicly accessible, configured on a subnet. The machines behind the Linksys have no problem getting out to the Internet. I also have one test server (not behind the Linksys), configured with one of the CIDR block usable addresses. That server is also able to get out to the Internet without issue.

But, when I try to ping the internal server or connect to the web server/ftp server from the outside, I get nothing. I think I have configured everything correctly on the PIX as far as the access lists, but, I am definitely NO Cisco expert. Its probably something really stupid that Im missing but I cant seem to find any examples on how to do this properly.

Here is my current config...

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password ****** encrypted
passwd ****** encrypted
hostname pix515
domain-name tobias
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list outside_access_in permit udp any any eq ntp
access-list outside_access_in permit tcp any host x.y.z.93 eq www
access-list outside_access_in permit tcp any host x.y.z.93 eq ftp
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in permit icmp any any echo-reply
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside a.b.c.143
ip address inside x.y.z.81
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
access-group outside_access_in in interface outside
route outside a.b.c.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server source outside prefer
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet x.y.z.80 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

Where a.b.c.143 /27 is the WAN address with a.b.c.129 as its default gateway. x.y.z.80 /28 is the CIDR block. I am using z.y.z.81 as the internal default gateway.
Question by:jmanstream
    LVL 16

    Accepted Solution

    You don't have any static NAT entries configured. I know it seems like it should be able to just route the traffic to the CIDR addresses but that is not how PIX works. You will need to set up a static entry for the internal addresses even if they are routable. Any traffic going from a lower to a higher security interface MUST be NATed.
    LVL 16

    Expert Comment

    Incidentally you just use the same address as the source and the destination of the NAT.

    Author Closing Comment

    That did the trick! You're right... I was assuming it would just route as long as the access-list was in place. Thanks!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    This video discusses moving either the default database or any database to a new volume.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now