Cisco PIX 501 - adding static group

Posted on 2004-04-27
Last Modified: 2013-11-16
Hi all,

I am fairly new to Cisco PIX and purchased one for home just so I could learn.

Because the PIX is running as a PAT device, where the external IP is dynamic I am having difficulty enabling inbound access easily.

For example if I want to open my internal webserver to the out side I have successfully achieved this with the folling commands.

static (inside,outside) tcp interface www www netmask 0 0

access-list inbound permit tcp any interface outside eq www

However I want to create a new rule for bittorrent (I know I know)

I created an object group (see below)

object-group service bittorrent tcp-udp
port-object range 6881 6999

But when I try adding this
static (inside,outside) tcp interface bittorrent bittorrent netmask 0 0

It does not recognise the bittorrent group.

Help me, I have IOS 6.3(3)


Question by:chinster
  • 4
  • 3
  • 2
  • +3
LVL 23

Expert Comment

by:Tim Holman
ID: 10929584
You can't use object-group names in static NAT rules.
However, you can use ACLs instead, so:

access-list bittorrent permit tcp any interface eq range 6881-6999
static (inside,outside) tcp interface netmask 0 0 access-list bittorent

..not sure the syntax is right as don't have a PIX to play with, but you get the jist ??  ;)


Author Comment

ID: 10930012
access-list bittorrent permit tcp any interface outside eq range 6881-6999

gives me:

ERROR: invalid port range
Usage:  [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
        <protocol>|object-group <protocol_obj_grp_id>
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<icmp_type> | object-group <icmp_type_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]

Am I being thick?
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
LVL 23

Expert Comment

by:Tim Holman
ID: 10932436
I've looked up the correct syntax... sorry for the confusion !

access-list bittorrent permit tcp any interface outside range 6881 6999

Author Comment

ID: 10933591
Sorry dude, almost there!

access-list bittorrent permit tcp any interface outside range 6881 6999

worked, however when adding the second command

static (inside,outside) tcp interface netmask 0 0 access-list bittorent

I get

invalid global port
Usage:  [no] static [(real_ifc, mapped_ifc)]
                {<real_ip> [netmask <mask>]} | {access-list <acl_name>}
                [dns] [norandomseq] [<max_conns> [<emb_lim>]]
        [no] static [(real_ifc, mapped_ifc)] {tcp|udp}
                {<mapped_ip>|interface} <mapped_port>
                {<real_ip> <real_port> [netmask <mask>]} |
                {access-list <acl_name>}
                [dns] [norandomseq] [<max_conns> [<emb_lim>]]
LVL 13

Accepted Solution

td_miles earned 63 total points
ID: 10934161
What you're wanting to do won't work. As you can see from the syntax, if you use a TCP static, you HAVE to specify the global_port (ie. the port on the outside interface). The access-list option is used for what is know as "policy NAT", where you can use an ACL to specify the local_ip/local_port as a source/destination pair rather than just the single ip/port.

rather than try to explain it all myself, have a look at the command reference:

static access-list (Policy NAT)
When you use an access list with the static command, then you enable policy NAT.

Policy NAT lets you identify local traffic for address translation by specifying the source and destination addresses (or ports) in an access list. Regular NAT uses source addresses/ports only, whereas policy NAT uses both source and destination addresses/ports.

With policy NAT, you can create multiple static statements that identify the same local address as long as the source/port and destination/port combination is unique for each statement. You can then match different global addresses to each source/port and destination/port pair.

While static PAT already allowed you to identify the local and global ports, policy NAT enhances this feature (as well as static NAT) by allowing you to identify the destination address for the local traffic.

Policy NAT Examples
The following example shows a Policy NAT configuration. In this example, traffic destined for the from host is translated as, and traffic destined for the from host is translated as

access-list network-1 permit ip host
access-list network-2 permit ip host
static (inside,outside) access-list network-1
static (inside,outside) access-list network-2


The only solution to your problem is to specify a LOT of singular port translations, or to do a one-to-one static NAT to a single internal IP address. I'm not sure that you can do a one-to-one NAT using the outside interface as the real IP, which doesn't leave you with too many options.

Sorry to be the bearer of bad news (just don't shoot the messenger !).

Expert Comment

ID: 10934442
It sounds like what you need is this
static (inside,outside) tcp interface netmask 0 0
static (inside,outside) udp interface netmask 0 0
access-list inbound permit tcp any interface outside range 6881 6999
access-list inbound permit udp any interface outside range 6881 6999
access-list inbound permit tcp any interface outside eq www
access-group inbound in interface outside

This will allow all tcp and udp traffic to go to via ports 6881-6999 and port 80
You can do this via an object-group buit it's kindof overkill
Good Luck
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.


Expert Comment

ID: 10934455
oops just noticed you are running 6.3.3.....
6.3.3 has a static bug and a reboot is a work around...
also remember to do a
write mem
before you reboot or all will be lost...
Good Luck
LVL 79

Assisted Solution

lrmoore earned 62 total points
ID: 10935244
If all tcp and udp are both static'd from interface to inside host, that will hose up all other connections, no?

Unless you can get another public IP and do a 1-1 static nat, you may have no choice except to use 100+ static lines:
static (inside,outside) tcp interface 6881 6881 netmask
static (inside,outside) tcp interface 6882 6882 netmask
static (inside,outside) tcp interface 6883 6883 netmask
static (inside,outside) tcp interface 6884 6884 netmask
static (inside,outside) tcp interface 6885 6885 netmask
LVL 13

Expert Comment

ID: 10935301
If you do decide to go the route of doing that, here is a tip that I use when I'm doing something like this.

Create a spreadsheet (eg. Excel) and create the columns like this:

column 1, row 1 = "static (inside,outside) tcp interface "
column 2, row 1 = "6881"
column 3, row 1 = " "
column 4, row 1 = "6881"
column 5, row 1 = " netmask"

So that if you read across the first row, you have a single full ACL line spread out through the columns.

Next, you setup an incrementing sequence in the two columns that your port number is in (columns 2 & 4 in my example above) and make them increment up to the desired number. This is easy to do in Excel and the OpenOffice spreadsheet program simply by dragging the lower right hand corner of the cell downwards and it increments it as you go. Copy the other three columns downwards as you go.

Once you have it as you want it, export it as a "space delimited" file, which you can then import into your PIX config. Don't worry about any excess spaces, the PIX simply ignores them as whitespace.

Author Comment

ID: 10936759
Well I guess then the only answer is to add a static for each port, I was worried that was the answer!

Do any of you guys know whether this would slow the pix down having this many rules?

Again thanks for all your help!

Expert Comment

ID: 10938895
ooppps you are right.....
I missed looks like he is going to two different servers on the inside with a single IP ADDRESS
That can't be done....
WRITE the 100+ statics is the only way....
My comments will only work if all traffic is going to the same server....

Expert Comment

ID: 10938905
he does still need to do a reboot after all static changes.....
Good Luck...
LVL 19

Expert Comment

ID: 16027572
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup topic area:
Split: td_mile & lrmoore

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

EE Cleanup Volunteer

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Wifi install - small London office 9 109
Cisco universal IOS upgrade from ipbase to ipservices 4 59
No RSTP between switches 3 45
By pass website on ASA for Websense 4 50
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now