Cisco PIX 501 - adding static group

Posted on 2004-04-27
Last Modified: 2013-11-16
Hi all,

I am fairly new to Cisco PIX and purchased one for home just so I could learn.

Because the PIX is running as a PAT device, where the external IP is dynamic I am having difficulty enabling inbound access easily.

For example if I want to open my internal webserver to the out side I have successfully achieved this with the folling commands.

static (inside,outside) tcp interface www www netmask 0 0

access-list inbound permit tcp any interface outside eq www

However I want to create a new rule for bittorrent (I know I know)

I created an object group (see below)

object-group service bittorrent tcp-udp
port-object range 6881 6999

But when I try adding this
static (inside,outside) tcp interface bittorrent bittorrent netmask 0 0

It does not recognise the bittorrent group.

Help me, I have IOS 6.3(3)


Question by:chinster
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +3
LVL 23

Expert Comment

by:Tim Holman
ID: 10929584
You can't use object-group names in static NAT rules.
However, you can use ACLs instead, so:

access-list bittorrent permit tcp any interface eq range 6881-6999
static (inside,outside) tcp interface netmask 0 0 access-list bittorent

..not sure the syntax is right as don't have a PIX to play with, but you get the jist ??  ;)


Author Comment

ID: 10930012
access-list bittorrent permit tcp any interface outside eq range 6881-6999

gives me:

ERROR: invalid port range
Usage:  [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
        <protocol>|object-group <protocol_obj_grp_id>
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<icmp_type> | object-group <icmp_type_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]

Am I being thick?
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
LVL 23

Expert Comment

by:Tim Holman
ID: 10932436
I've looked up the correct syntax... sorry for the confusion !

access-list bittorrent permit tcp any interface outside range 6881 6999
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features


Author Comment

ID: 10933591
Sorry dude, almost there!

access-list bittorrent permit tcp any interface outside range 6881 6999

worked, however when adding the second command

static (inside,outside) tcp interface netmask 0 0 access-list bittorent

I get

invalid global port
Usage:  [no] static [(real_ifc, mapped_ifc)]
                {<real_ip> [netmask <mask>]} | {access-list <acl_name>}
                [dns] [norandomseq] [<max_conns> [<emb_lim>]]
        [no] static [(real_ifc, mapped_ifc)] {tcp|udp}
                {<mapped_ip>|interface} <mapped_port>
                {<real_ip> <real_port> [netmask <mask>]} |
                {access-list <acl_name>}
                [dns] [norandomseq] [<max_conns> [<emb_lim>]]
LVL 13

Accepted Solution

td_miles earned 63 total points
ID: 10934161
What you're wanting to do won't work. As you can see from the syntax, if you use a TCP static, you HAVE to specify the global_port (ie. the port on the outside interface). The access-list option is used for what is know as "policy NAT", where you can use an ACL to specify the local_ip/local_port as a source/destination pair rather than just the single ip/port.

rather than try to explain it all myself, have a look at the command reference:

static access-list (Policy NAT)
When you use an access list with the static command, then you enable policy NAT.

Policy NAT lets you identify local traffic for address translation by specifying the source and destination addresses (or ports) in an access list. Regular NAT uses source addresses/ports only, whereas policy NAT uses both source and destination addresses/ports.

With policy NAT, you can create multiple static statements that identify the same local address as long as the source/port and destination/port combination is unique for each statement. You can then match different global addresses to each source/port and destination/port pair.

While static PAT already allowed you to identify the local and global ports, policy NAT enhances this feature (as well as static NAT) by allowing you to identify the destination address for the local traffic.

Policy NAT Examples
The following example shows a Policy NAT configuration. In this example, traffic destined for the from host is translated as, and traffic destined for the from host is translated as

access-list network-1 permit ip host
access-list network-2 permit ip host
static (inside,outside) access-list network-1
static (inside,outside) access-list network-2


The only solution to your problem is to specify a LOT of singular port translations, or to do a one-to-one static NAT to a single internal IP address. I'm not sure that you can do a one-to-one NAT using the outside interface as the real IP, which doesn't leave you with too many options.

Sorry to be the bearer of bad news (just don't shoot the messenger !).

Expert Comment

ID: 10934442
It sounds like what you need is this
static (inside,outside) tcp interface netmask 0 0
static (inside,outside) udp interface netmask 0 0
access-list inbound permit tcp any interface outside range 6881 6999
access-list inbound permit udp any interface outside range 6881 6999
access-list inbound permit tcp any interface outside eq www
access-group inbound in interface outside

This will allow all tcp and udp traffic to go to via ports 6881-6999 and port 80
You can do this via an object-group buit it's kindof overkill
Good Luck

Expert Comment

ID: 10934455
oops just noticed you are running 6.3.3.....
6.3.3 has a static bug and a reboot is a work around...
also remember to do a
write mem
before you reboot or all will be lost...
Good Luck
LVL 79

Assisted Solution

lrmoore earned 62 total points
ID: 10935244
If all tcp and udp are both static'd from interface to inside host, that will hose up all other connections, no?

Unless you can get another public IP and do a 1-1 static nat, you may have no choice except to use 100+ static lines:
static (inside,outside) tcp interface 6881 6881 netmask
static (inside,outside) tcp interface 6882 6882 netmask
static (inside,outside) tcp interface 6883 6883 netmask
static (inside,outside) tcp interface 6884 6884 netmask
static (inside,outside) tcp interface 6885 6885 netmask
LVL 13

Expert Comment

ID: 10935301
If you do decide to go the route of doing that, here is a tip that I use when I'm doing something like this.

Create a spreadsheet (eg. Excel) and create the columns like this:

column 1, row 1 = "static (inside,outside) tcp interface "
column 2, row 1 = "6881"
column 3, row 1 = " "
column 4, row 1 = "6881"
column 5, row 1 = " netmask"

So that if you read across the first row, you have a single full ACL line spread out through the columns.

Next, you setup an incrementing sequence in the two columns that your port number is in (columns 2 & 4 in my example above) and make them increment up to the desired number. This is easy to do in Excel and the OpenOffice spreadsheet program simply by dragging the lower right hand corner of the cell downwards and it increments it as you go. Copy the other three columns downwards as you go.

Once you have it as you want it, export it as a "space delimited" file, which you can then import into your PIX config. Don't worry about any excess spaces, the PIX simply ignores them as whitespace.

Author Comment

ID: 10936759
Well I guess then the only answer is to add a static for each port, I was worried that was the answer!

Do any of you guys know whether this would slow the pix down having this many rules?

Again thanks for all your help!

Expert Comment

ID: 10938895
ooppps you are right.....
I missed looks like he is going to two different servers on the inside with a single IP ADDRESS
That can't be done....
WRITE the 100+ statics is the only way....
My comments will only work if all traffic is going to the same server....

Expert Comment

ID: 10938905
he does still need to do a reboot after all static changes.....
Good Luck...
LVL 19

Expert Comment

ID: 16027572
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup topic area:
Split: td_mile & lrmoore

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

EE Cleanup Volunteer

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question