Go Premium for a chance to win a PS4. Enter to Win


Pix501 configuration:    pix501 inside router  & cable modem

Posted on 2013-11-12
Medium Priority
Last Modified: 2013-11-13
I'm adding  a Pix501 firewall to a small office.   Two computers, but only  one will be behind the firewall (long story, but that is the way it will be).  I've never used Pix501 or firewalls before.   Topology is:
                67.184.154.xx         (
Web ------- Cable modem ---------- Router ------------ Computer A (
                                   Pix501  (inside; outside
                                     |  192.168.53.x
                              Computer B    (

Open in new window

I have the pix501 installed.   Computer A is working fine.  Router (standard Linksys home router) is working fine.   The router's network is DHCP (192.168.1.xxx);  the Pix501 subnet will only have 1 computer, and just has fixed IP addresses (192.168.53.xxx)

Computer B, which used to work before the Pix501 was installed, now cannot see the router or internet.   I have a serial port access to the Pix501.    I can ping from the Pix501 both inside and outside, so the low-level communications are working.   But no pings will go _through_ the Pix501.    

Computer B is a Mac Mini, connected to Pix501 via ethernet, with the following Network Preferences settings:
    - Network kind: Ethernet
    - Configure IPV4:  Manually  (I'm required to use 192.168.53.xxx)
    - IP address
    - Subnet mask:
    - Router:

I can ping the pix501 from Computer B (and vice versa).    But I cannot ping  the router from Computer B (or vice versa).    I'm not worried about DNS yet: for now I just want to get the low-level pings working from computer B to router.

I must have a flaw in my Pix501 configuration that is preventing  it from relaying pings from inside to outside.  Here it is:

pix501(config)# wr term
Building configuration...
: Saved
PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password NJcF4sgutsk553UH encrypted
passwd NJcF4sgutsk553UH encrypted
hostname pix501
domain-name cisco.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
access-list 101 permit ip
access-list 101 permit ip
access-list 102 permit ip
access-list 102 permit ip
pager lines 24
logging console debugging
logging trap debugging
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0 0
nat (inside) 1 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set xfrmSet3 esp-des esp-md5-hmac
crypto ipsec transform-set xfrmSet4 ah-md5-hmac esp-des
crypto map toRemote 1 ipsec-isakmp
crypto map toRemote 1 match address 102
crypto map toRemote 1 set peer
crypto map toRemote 1 set transform-set xfrmSet3 xfrmSet4
crypto map toRemote interface outside
isakmp enable outside
isakmp key ******** address netmask no-xauth no-
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 28800
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash md5
isakmp policy 2 group 2
isakmp policy 2 lifetime 28800
isakmp policy 3 authentication pre-share
isakmp policy 3 encryption des
isakmp policy 3 hash md5
isakmp policy 3 group 1
isakmp policy 3 lifetime 28800
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet inside
telnet inside
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group myisp request dialout pppoe
vpdn group myisp localname admin
vpdn group myisp ppp authentication pap
vpdn group ISP request dialout pppoe
vpdn group ISP localname admin
vpdn group ISP ppp authentication pap
vpdn username admin password *********
dhcpd auto_config outside
terminal width 80
: end
Question by:Bruce_hotchkiss
  • 5
  • 4
LVL 35

Expert Comment

by:Ernie Beek
ID: 39643978
First, get rid of these:
access-list 101 permit ip

access-list 102 permit ip

nat (inside) 1 0 0

The network is not on the inside of the PIX so that might mess things up.

Second, you might want to consider giving the PIX a static address on the outside (makes things easier for my third point).

Third, does you router have a route to the network through the IP address of the PIX?

Author Comment

ID: 39644972
Ernie:  thanks for your suggestions.  In reply:
1) I removed those two access-lists, using the "no access-list" command.
2) I don't know how to give the Pix a static address on the outside .. if you can give me a tip there it would be appreciated.
3) Do you have a typo there?  The subnet is already the "inside" net of the Linksys router.  Are you asking if the router has a route to the subnet (inside the Pix501)?  The answer to that latter question is "no", but I can try.  I access the router via web browser http://www.routerlogin.net/start.htm.   It has a mechanism to create "static routes" .. that must be what I need.  It is asking me for a "gateway IP addr" and a "destination IP addr" ... not sure what those refer to, but I'll try to figure it out.

Author Comment

ID: 39645123
Progress report from author:

a)  The outside IP address of the Pix501 is ... its been that way for a week, and I'm not powering anything off for awhile, so I can probably defer the "static address" (task #2 above) until later.  
b)  I'm working on adding a static route to the Linksys router (task #3 above).   I'm trying various permutations, including:
  - Destination IP =   [the Pix501 inside subnet]
  - Subnet mask   =
  - Gateway IP     =   [the outside IP address of the Pix501]
The above static route, alas, does not permit my pings to go thru the Pix501.  Other permutations of that static route do not work either.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 35

Expert Comment

by:Ernie Beek
ID: 39645124
My pleasure. In reply to your reply:

1) Good, we might want to add something again later.
2) The same as on the inside: ip address outisde 192.168.1.x for x use an IP that is outside the DHCP scope ;)
You also need to manually add a default gateway: route outside
3) Typo indeed, i did mean: if the router has a route to the subnet (inside the Pix501). I assume "destination IP addr" would be the subnet you want to route to ( and "gateway IP addr" would be the outside IP address of the PIX (192.168.1.x).

Let's see where this gets you.
LVL 35

Expert Comment

by:Ernie Beek
ID: 39645147
Ah crosspost.

Pings not going through. Assuming from the inside of the PIX to the internet?

Try adding an access list on the outside:
access-list outside permit icmp any any
access-group outside in interface outside

Also, keep an eye on the (ASDM) logs. That might tell you more of what is going on/wrong.

Author Comment

ID: 39645270
Author:  Partial progress!!!    I've incorporated your latest suggestions:
 - ip address outside ...
 - route outside ...
 - access-list ...
 - access-group ...
The pings I am trying are simply from computer A to computer B (see topology diagram at top).  I am not yet attempting anything in the outside WWW, nor am I attempting to use DNS URLs like www.cnn.com.  So here is what I'm trying:
   computer A> ping    [fails: time outs]
   computer B> ping  [SUCCESS!]
In other words, computer B behind the pix501 firewall can ping to the outside;  but pings from outside the firewall (from computer A) cannot reach computer B (inside the firewall).   The problem is probably either:
  a) my static route in the Linksys router is erroneous (see 2 posts above)
  b) my Pix501 configuration is stopping the incoming pings from crossing the firewall
LVL 35

Accepted Solution

Ernie Beek earned 2000 total points
ID: 39645337
I think that would be b), because that's what firewalls do :)

If you want to be able to get through the firewall to reach we'll need to do some additional configuring. Though you put the PIX there to block traffic to the, didn't you? Or just to control the traffic to the and allow only certain ports?

To be able to get to it, let's add the following (we'll need an extra 192.168.1.x address for that, I'll use here):

static (inside,outside) netmask

This creates a static NAT between those two IP addresses. Now you should be able to ping (which translates to So if you want to be able to reach the on any other port, add a rule to your outside access list.
For example RDP:
access-list outside permit tcp any host eq 3389

Now when you set up an RDP session to, you should end up on the

Author Closing Comment

ID: 39645558
Very patient and clear!

Author Comment

ID: 39645565
Ernie:  thanks for all the help.   I've got pings going both ways thru the firewall, and that is what I wanted to accomplish in the short term.

Computer B behind the firewall still cannot access web sites, but that is because I dont have DNS working.  Not sure how to do that ...  but if I cannot figure it out after some research, I'll make a new post on that topic.

PS: This firewall is not to block incoming traffic,  it is to support a (future) VPN from comptuer B to a remote site.

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question