Re: Cisco PIX-501 questions

From: BlankReg (
Date: 05/09/04

Date: Sun, 9 May 2004 11:23:37 +0100

IS it possible that your Internet router is also translating the 'real'
addresses to the ones configured on the PIX ? A fairly unnecessary step, but
not that unusual.


"Mike Ruskai" <> wrote in message
> On Thu, 06 May 2004 11:30:32 -0400, Michael Sherman wrote:
> >On Thu, 06 May 2004 09:34:54 GMT, "Mike Ruskai"
> ><> wrote:
> >
> >>One of these was installed as a firewall for a web server, and it's
fallen on
> >>me to administer it now.
> >>
> >>I've downloaded the command reference, but there's nearly nothing
> >>about how this thing works. Right now there are two questions I'd most
> >>answered, which may go a ways towards answering others that come up in
> >>future.
> >>
> >>1) The external address is configured as xx.xx.98.250 with a netmask of
> >> The actual IP addresses we have are from xx.xx.110.98
> >>xx.xx.110.105 (maybe more). How exactly is this actually working with
> >>address configuration?
> >
> >Are the xx.xx.110.98-110.105 internal? or is that your public range?
> >In which case the ext ip will need to change. "ip address outside
> >xx.xx.xx.xx
> Those are the public IPs. The funny thing is, it's working. Traffic to
> those IPs ends up at the firewall. Perhaps it's something to do with the
> VLAN setup at the hosting company.
> >>3) How do I delete a single access-list line? I did "no access-list
> >>outside_acces_in" to get rid of multiple lines that were made with a
> >>(via command recall, of course - didn't make the same typo multiple
> >>But if I try "no access-list outside_access_in line 5" (which does
> >>according to "show access-list"), I get a summary of options for the
> >>access-list command. My syntax is completely correct according to the
> >>command reference. So what is it that I'm missing?
> >
> >the "line" is only in pix version 6.3.3 i think? verifiy which
> >version of the software you are running with a "show ver". I would
> >flash it to 6.3.3 if it is not running that, as it has a lot of extras
> >and fixes.
> Show version reports 6.3(3), which I assume is 6.3.3 in normal version
> syntax.
> >to remove the access-list you would pretty much complete the
> >access-list command shown with a no in front of it. omit the line ""
> >from it when removing if it shows that.
> >ex. access-list outside_access_in permit ip any any
> >
> >to remove it would be "no access-list outside_access_in permit ip any
> >any
> >
> >hope this helps.
> I actually thought of that after posting, and it does work to remove the
> unwanted lines.
> --
> - Mike
> Remove '' and reverse to send e-mail.

Relevant Pages

  • PIX 501 - reaching xlate limit?
    ... Very new to the PIX so please bear with me if I'm not quite up on the ... Basically we have a bunch of public IPs and a PIX501 in the following ... DMZ Machine 1 ... however when I do a "show Xlate" I get a gradually higher number ...
  • PIX - help with initial rules/terminology
    ... ISA External NIC (Primary Public IP + several additional public IPs) ... Soon to be PIX ... IP of the ISA and the two DMZ machines out on protocols X, Y and Z, and to ...
  • Mapping IP address
    ... access-list outside-to-Inside permit tcp host 69.y.y.y host 64.x.x.x eq www ... I am running out of public IPs and I guess I have to use the PIX ... Outside IP and forward the port to internal machine, but not sure how to do ...
  • Re: resource access behind PIX
    ... PIX ALCs to web servers on the same private range by accessing the public IPs on ... if you want an inside packet to access an inside ...