Showing results for 
Search instead for 
Did you mean: 

Inside to Outside on Pix 501


I have a pix 501 10 user. I can ping from the console to any public IP Address, but not from an inside address. I am including my config in hopes that someone can tell me what I am doing wrong for my inside to outside connectivity. TIA

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside ecurity100

enable password xxxx

passwd xxxx

hostname BarberPix


fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521


mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0 0

route outside 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

3 Replies 3

Patrick Iseli
Rising star
Rising star

You need to configure an access-list to allow the icmp replys from the Internet. Note that ICMP is not a stateful protocol.

ICMP Traffic on PIX Firewall


The PIX and the traceroute Command

Handling ICMP Pings with the PIX Firewall

Access-List example for traceroute :


access-list 101 permit icmp any interface outside unreachable

access-list 101 permit icmp any interface outside time-exceeded

access-list 101 permit icmp any interface outside echo-reply


access-list 101 permit icmp any interface outside unreachable

access-list 101 permit icmp any interface outside time-exceeded

#Finaly activate the ACL on the interface:

access-group 101 in interface outside



Thanks that did the trick along with dns entries, I am good to go.


Do you have a dns server configured on the machines? I notice there isn't one in the config.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers