Showing results for 
Search instead for 
Did you mean: 


Urgent! Natting Issue on Pix 501


I'm having an issue on my Pix 501- ver. 6.3(5) firewall when host accessing any website, no website is opening and when i issue command sh xlate so don't see anything and i think i must enable natting on this firewall as same as on ASA nat-control but i don't know what is the cause and why the traffic is not goes?

Kindly see below all details and give me any solution to pass inside traffic to outside.

PIX501(config)# sh run

: Saved


PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PIX501

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list outbound permit tcp any eq www

pager lines 24

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1

nat (inside) 1 0 0

access-group outbound in interface inside

conduit permit icmp any any

route outside 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

username saeed password xAmbVBkAB7NsAEuT encrypted privilege 15

terminal width 80


: end

PIX501(config)# sh nat

nat (inside) 1 0 0

PIX501(config)# sh global

global (outside) 1

PIX501(config)# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)

            alert-interval 300

access-list outbound; 1 elements

access-list outbound line 1 permit tcp any eq www (hitcnt=0)

PIX501(config)# sh xlate

0 in use, 0 most used

Jennifer Halim
Cisco Employee

If there is no hitcount, that means that the traffic is not even hitting the PIX firewall.

Check the host to ensure that the default gateway is correct, ip address and subnet mask is correctly configured. Also, does it have any DNS setting configured?

If you are using external DNS server, then you might want to allow DNS traffic through the PIX firewall as well.

Try to see if you can browse the internet by ip address instead of name to see where the problem is.

On client here is the settings.




DNS: No dns but i applied but still not working.

I dont have any such DNS, can i put the ISP dns?

This host can ping inside interface but unable to pass traffic from inside to outside.



I just enter ISP dns on the client side but still same issue.

Onething more see here.

PIX501(config)# ping response received -- 0ms response received -- 0ms response received -- 0ms

PIX501(config)# ping NO response received -- 1000ms NO response received -- 1000ms NO response received -- 1000ms

Of course you would need to DNS, and you can't use because PIX does not act as a DNS server.

Please configre the ISP DNS server.

Just take the access-group off for now while you are still testing:

no access-group outbound in interface inside

And also, you won't be able to ping as it's a virtual IP.

Test to see if you can ping from the host, if you can, that means you have connectivity through the PIX.

Well, when putting the DNS and disabling the

no access-group outbound in interface inside

Then working fine and when again enabling above command then not working so please help me what should i do to apply the access-list. is there any issue with the access-list?

Onething more can i put my local dns server so is it work?

Onething more why Tab button is not working - i mean completing the command.

You would have to configure access-list to allow DNS traffic.

Please add the following for DNS:

access-list outbound permit udp any eq 53

For any of the traffic that you would like to allow outbound, once you configure the access-group, you would need to explicitly configure each traffic to go outbound.