Showing results for 
Search instead for 
Did you mean: 


PIX 515E ouside access to internal servers

Hello All;

I was wondering if I could ask for some assistance. I am very new to configuring PIX devices, and I am currently having a problem allowing external users to access some of our servers.

I am trying to allow http, smtp, pop3, and RDP (port 3389) traffic through to our web, mail and terminal servers. I think I have the right commands, but it doesn't seem to be working.

Here is a copy of my current config:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password xxxxx encrypted

passwd xxxxxxxencrypted

hostname ymcapix


fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


access-list 101 permit tcp any host eq smtp

access-list 101 permit tcp any host eq pop3

access-list 101 permit tcp any host eq www

access-list 101 permit tcp any host eq 3389

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside

ip address inside

ip address intf2 x.0.0.1

ip audit info action alarm

ip audit attack action alarm

pdm location inside

pdm history enable

arp timeout 14400

global (outside) 1 netmask

nat (inside) 1 0 0

static (inside,outside) netmask 0 0

static (inside,outside) netmask 0 0

static (inside,outside) netmask 0 0

access-group 101 in interface outside

route outside 1

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80


Feel free to critique at will. I haven't ever configured one of these devices, so I probably made numerous mistakes. Any advice/help is greatly appreciated.

Thank you all.

Cisco Employee

Actually for a first time you did pretty good. Can't see anything obviously wrong with what you've done. The best way to see what's going on with problems connecting thru a PIX is to turn on syslogging, the PIX will generally tell ou exactly what the problem is. Do:

logging on

logging buffer debug

sho log

This will give you a good indication of what's happening. Most syslog messages are pretty self-explanatory, but here's the full list of them for your reference:

Of course if you're not sure what's happening post the syslog output and we'll help interpret. If you don't see any syslog messages then there's a chance your ISP isn't routing the .3-.5 IP addresses through to you, or hasn't activated them, or is filtering low port connections to them, I've seen that numerous times.


I have a question on this post, can anyone describe what filtering low port connections is?

I have not heard of that before.


is your ISP's DNS resolving those names to IP appropriately? does your inside traffic successfully get out to the Internet (is nat working right (request and return traffic))?

if your servers are using private inside addressing, you should try redirecting the ports

static (inside, outside) tcp X.X.X.4 80 [yourInsideWWWaddy] 80 netmask 0 0

static (inside, outside) tcp X.X.X.3 25 [yourInsideSMTPaddy] 25 netmask 0 0

static (inside, outside) tcp X.X.X.3 110 [yourInsidePOP3addy] 110 netmask 0 0

static (inside, outside) tcp X.X.X.5 3389 [yourInsideTSsrvaddy] 3389 netmask 0 0

this tells the firewall, " any traffic that hits at these IP's on ports 80, 25, 110, or 3389 - translate the public IPs to the appropriate Inside configured servers".

your acl 101 takes care of allowing the in from the traffic from the Internet.

for security reasons, you should not allow SMTP or POP3 because you can:

SMTP - sniff traffic and read people email (it's clear text protocol

POP3 - it is very easy to sniff passwds as people check their email and then spoof email once the passwd is gained.

I would really use a VPN for terminal services traffic (to stay away from the possibilty of brute force attacks and the trust relationships that can be expoited if one is successful)

also for reference:

Good Luck

Don Garnett

Network Support Specialist


Thank you for helping me out. I got the pix working.

clear xlate and clear arp do wonders. Thanks again.


The reason clear arp helped may be because you have overlapping translations:

You have assigned a pool for outgoing traffic:

global (outside) 1 netmask

And you also have addresses from this pool assigned to servers:

static (inside,outside) netmask 0 0

static (inside,outside) netmask 0 0

static (inside,outside) netmask 0 0

To prevent problems in the future I think you better change the global line to:

global (outside) 1 interface

Content for Community-Ad