Improve company productivity with a Business Account.Sign Up


Cisco PIX 501 - adding static group

Posted on 2004-04-27
Medium Priority
Last Modified: 2013-11-16
Hi all,

I am fairly new to Cisco PIX and purchased one for home just so I could learn.

Because the PIX is running as a PAT device, where the external IP is dynamic I am having difficulty enabling inbound access easily.

For example if I want to open my internal webserver to the out side I have successfully achieved this with the folling commands.

static (inside,outside) tcp interface www www netmask 0 0

access-list inbound permit tcp any interface outside eq www

However I want to create a new rule for bittorrent (I know I know)

I created an object group (see below)

object-group service bittorrent tcp-udp
port-object range 6881 6999

But when I try adding this
static (inside,outside) tcp interface bittorrent bittorrent netmask 0 0

It does not recognise the bittorrent group.

Help me, I have IOS 6.3(3)


Question by:chinster
  • 4
  • 3
  • 2
  • +3
LVL 23

Expert Comment

by:Tim Holman
ID: 10929584
You can't use object-group names in static NAT rules.
However, you can use ACLs instead, so:

access-list bittorrent permit tcp any interface eq range 6881-6999
static (inside,outside) tcp interface netmask 0 0 access-list bittorent

..not sure the syntax is right as don't have a PIX to play with, but you get the jist ??  ;)


Author Comment

ID: 10930012
access-list bittorrent permit tcp any interface outside eq range 6881-6999

gives me:

ERROR: invalid port range
Usage:  [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
        <protocol>|object-group <protocol_obj_grp_id>
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<icmp_type> | object-group <icmp_type_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]

Am I being thick?
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
LVL 23

Expert Comment

by:Tim Holman
ID: 10932436
I've looked up the correct syntax... sorry for the confusion !

access-list bittorrent permit tcp any interface outside range 6881 6999
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.


Author Comment

ID: 10933591
Sorry dude, almost there!

access-list bittorrent permit tcp any interface outside range 6881 6999

worked, however when adding the second command

static (inside,outside) tcp interface netmask 0 0 access-list bittorent

I get

invalid global port
Usage:  [no] static [(real_ifc, mapped_ifc)]
                {<real_ip> [netmask <mask>]} | {access-list <acl_name>}
                [dns] [norandomseq] [<max_conns> [<emb_lim>]]
        [no] static [(real_ifc, mapped_ifc)] {tcp|udp}
                {<mapped_ip>|interface} <mapped_port>
                {<real_ip> <real_port> [netmask <mask>]} |
                {access-list <acl_name>}
                [dns] [norandomseq] [<max_conns> [<emb_lim>]]
LVL 13

Accepted Solution

td_miles earned 252 total points
ID: 10934161
What you're wanting to do won't work. As you can see from the syntax, if you use a TCP static, you HAVE to specify the global_port (ie. the port on the outside interface). The access-list option is used for what is know as "policy NAT", where you can use an ACL to specify the local_ip/local_port as a source/destination pair rather than just the single ip/port.

rather than try to explain it all myself, have a look at the command reference:

static access-list (Policy NAT)
When you use an access list with the static command, then you enable policy NAT.

Policy NAT lets you identify local traffic for address translation by specifying the source and destination addresses (or ports) in an access list. Regular NAT uses source addresses/ports only, whereas policy NAT uses both source and destination addresses/ports.

With policy NAT, you can create multiple static statements that identify the same local address as long as the source/port and destination/port combination is unique for each statement. You can then match different global addresses to each source/port and destination/port pair.

While static PAT already allowed you to identify the local and global ports, policy NAT enhances this feature (as well as static NAT) by allowing you to identify the destination address for the local traffic.

Policy NAT Examples
The following example shows a Policy NAT configuration. In this example, traffic destined for the from host is translated as, and traffic destined for the from host is translated as

access-list network-1 permit ip host
access-list network-2 permit ip host
static (inside,outside) access-list network-1
static (inside,outside) access-list network-2


The only solution to your problem is to specify a LOT of singular port translations, or to do a one-to-one static NAT to a single internal IP address. I'm not sure that you can do a one-to-one NAT using the outside interface as the real IP, which doesn't leave you with too many options.

Sorry to be the bearer of bad news (just don't shoot the messenger !).

Expert Comment

ID: 10934442
It sounds like what you need is this
static (inside,outside) tcp interface netmask 0 0
static (inside,outside) udp interface netmask 0 0
access-list inbound permit tcp any interface outside range 6881 6999
access-list inbound permit udp any interface outside range 6881 6999
access-list inbound permit tcp any interface outside eq www
access-group inbound in interface outside

This will allow all tcp and udp traffic to go to via ports 6881-6999 and port 80
You can do this via an object-group buit it's kindof overkill
Good Luck

Expert Comment

ID: 10934455
oops just noticed you are running 6.3.3.....
6.3.3 has a static bug and a reboot is a work around...
also remember to do a
write mem
before you reboot or all will be lost...
Good Luck
LVL 79

Assisted Solution

lrmoore earned 248 total points
ID: 10935244
If all tcp and udp are both static'd from interface to inside host, that will hose up all other connections, no?

Unless you can get another public IP and do a 1-1 static nat, you may have no choice except to use 100+ static lines:
static (inside,outside) tcp interface 6881 6881 netmask
static (inside,outside) tcp interface 6882 6882 netmask
static (inside,outside) tcp interface 6883 6883 netmask
static (inside,outside) tcp interface 6884 6884 netmask
static (inside,outside) tcp interface 6885 6885 netmask
LVL 13

Expert Comment

ID: 10935301
If you do decide to go the route of doing that, here is a tip that I use when I'm doing something like this.

Create a spreadsheet (eg. Excel) and create the columns like this:

column 1, row 1 = "static (inside,outside) tcp interface "
column 2, row 1 = "6881"
column 3, row 1 = " "
column 4, row 1 = "6881"
column 5, row 1 = " netmask"

So that if you read across the first row, you have a single full ACL line spread out through the columns.

Next, you setup an incrementing sequence in the two columns that your port number is in (columns 2 & 4 in my example above) and make them increment up to the desired number. This is easy to do in Excel and the OpenOffice spreadsheet program simply by dragging the lower right hand corner of the cell downwards and it increments it as you go. Copy the other three columns downwards as you go.

Once you have it as you want it, export it as a "space delimited" file, which you can then import into your PIX config. Don't worry about any excess spaces, the PIX simply ignores them as whitespace.

Author Comment

ID: 10936759
Well I guess then the only answer is to add a static for each port, I was worried that was the answer!

Do any of you guys know whether this would slow the pix down having this many rules?

Again thanks for all your help!

Expert Comment

ID: 10938895
ooppps you are right.....
I missed looks like he is going to two different servers on the inside with a single IP ADDRESS
That can't be done....
WRITE the 100+ statics is the only way....
My comments will only work if all traffic is going to the same server....

Expert Comment

ID: 10938905
he does still need to do a reboot after all static changes.....
Good Luck...
LVL 19

Expert Comment

ID: 16027572
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup topic area:
Split: td_mile & lrmoore

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

EE Cleanup Volunteer

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

595 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question