Core issue
This issue occurs because a default route does not exist on the Cisco Secure PIX Firewall, or because NATting/PATting is not configured.
Resolution
In order to resolve this issue, complete these steps:
- Make sure the PIX has the route outside 0.0.0.0 0.0.0.0 command configured in order to direct all unknown traffic to the directly connected Ethernet port of the outside router.
- Verify that the default gateway of the client is set to the inside interface of the PIX.
- For pings to work, verify that there is an access-list statement applied to the outside interface that permits the Internet Control Message Protocol (ICMP) echo-replies back in through the PIX.
- Verify that the PIX configuration has a translation, either a nat and a related global statement or a static statement, for the inside host. In order to check the translation, issue the show xlate command.
For example, in order to translate the 10.1.1.0/24 network on the inside interface, enter these commands:
hostname(config)#nat (inside) 1 10.1.1.0 255.255.255.0
hostname(config)#global (outside) 1 209.165.201.1-209.165.201.30
In order to identify a pool of addresses for dynamic NAT as well as a PAT address for when the NAT pool is exhausted, enter these commands:
hostname(config)#nat (inside) 1 10.1.1.0 255.255.255.0
hostname(config)#global (outside) 1 209.165.201.5
hostname(config)#global (outside) 1 209.165.201.10-209.165.201.20
Refer to the Cisco Secure PIX Firewall Command References of the appropriate software version for more information about these PIX commands.