• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 591
  • Last Modified:

Cisco PIX 501 - adding static group

Hi all,

I am fairly new to Cisco PIX and purchased one for home just so I could learn.

Because the PIX is running as a PAT device, where the external IP is dynamic I am having difficulty enabling inbound access easily.

For example if I want to open my internal webserver to the out side I have successfully achieved this with the folling commands.

static (inside,outside) tcp interface www www netmask 0 0

access-list inbound permit tcp any interface outside eq www

However I want to create a new rule for bittorrent (I know I know)

I created an object group (see below)

object-group service bittorrent tcp-udp
port-object range 6881 6999

But when I try adding this
static (inside,outside) tcp interface bittorrent bittorrent netmask 0 0

It does not recognise the bittorrent group.

Help me, I have IOS 6.3(3)


  • 4
  • 3
  • 2
  • +3
2 Solutions
Tim HolmanCommented:
You can't use object-group names in static NAT rules.
However, you can use ACLs instead, so:

access-list bittorrent permit tcp any interface eq range 6881-6999
static (inside,outside) tcp interface netmask 0 0 access-list bittorent

..not sure the syntax is right as don't have a PIX to play with, but you get the jist ??  ;)

chinsterAuthor Commented:
access-list bittorrent permit tcp any interface outside eq range 6881-6999

gives me:

ERROR: invalid port range
Usage:  [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
        <protocol>|object-group <protocol_obj_grp_id>
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<icmp_type> | object-group <icmp_type_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]

Am I being thick?
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Tim HolmanCommented:
I've looked up the correct syntax... sorry for the confusion !

access-list bittorrent permit tcp any interface outside range 6881 6999
The Growing Need for Data Analysts

As the amount of data rapidly increases in our world, so does the need for qualified data analysts. WGU's MS in Data Analytics and maximize your leadership opportunities as a data engineer, business analyst, information research scientist, and more.

chinsterAuthor Commented:
Sorry dude, almost there!

access-list bittorrent permit tcp any interface outside range 6881 6999

worked, however when adding the second command

static (inside,outside) tcp interface netmask 0 0 access-list bittorent

I get

invalid global port
Usage:  [no] static [(real_ifc, mapped_ifc)]
                {<real_ip> [netmask <mask>]} | {access-list <acl_name>}
                [dns] [norandomseq] [<max_conns> [<emb_lim>]]
        [no] static [(real_ifc, mapped_ifc)] {tcp|udp}
                {<mapped_ip>|interface} <mapped_port>
                {<real_ip> <real_port> [netmask <mask>]} |
                {access-list <acl_name>}
                [dns] [norandomseq] [<max_conns> [<emb_lim>]]
What you're wanting to do won't work. As you can see from the syntax, if you use a TCP static, you HAVE to specify the global_port (ie. the port on the outside interface). The access-list option is used for what is know as "policy NAT", where you can use an ACL to specify the local_ip/local_port as a source/destination pair rather than just the single ip/port.

rather than try to explain it all myself, have a look at the command reference:

static access-list (Policy NAT)
When you use an access list with the static command, then you enable policy NAT.

Policy NAT lets you identify local traffic for address translation by specifying the source and destination addresses (or ports) in an access list. Regular NAT uses source addresses/ports only, whereas policy NAT uses both source and destination addresses/ports.

With policy NAT, you can create multiple static statements that identify the same local address as long as the source/port and destination/port combination is unique for each statement. You can then match different global addresses to each source/port and destination/port pair.

While static PAT already allowed you to identify the local and global ports, policy NAT enhances this feature (as well as static NAT) by allowing you to identify the destination address for the local traffic.

Policy NAT Examples
The following example shows a Policy NAT configuration. In this example, traffic destined for the from host is translated as, and traffic destined for the from host is translated as

access-list network-1 permit ip host
access-list network-2 permit ip host
static (inside,outside) access-list network-1
static (inside,outside) access-list network-2


The only solution to your problem is to specify a LOT of singular port translations, or to do a one-to-one static NAT to a single internal IP address. I'm not sure that you can do a one-to-one NAT using the outside interface as the real IP, which doesn't leave you with too many options.

Sorry to be the bearer of bad news (just don't shoot the messenger !).
It sounds like what you need is this
static (inside,outside) tcp interface netmask 0 0
static (inside,outside) udp interface netmask 0 0
access-list inbound permit tcp any interface outside range 6881 6999
access-list inbound permit udp any interface outside range 6881 6999
access-list inbound permit tcp any interface outside eq www
access-group inbound in interface outside

This will allow all tcp and udp traffic to go to via ports 6881-6999 and port 80
You can do this via an object-group buit it's kindof overkill
Good Luck
oops just noticed you are running 6.3.3.....
6.3.3 has a static bug and a reboot is a work around...
also remember to do a
write mem
before you reboot or all will be lost...
Good Luck
If all tcp and udp are both static'd from interface to inside host, that will hose up all other connections, no?

Unless you can get another public IP and do a 1-1 static nat, you may have no choice except to use 100+ static lines:
static (inside,outside) tcp interface 6881 6881 netmask
static (inside,outside) tcp interface 6882 6882 netmask
static (inside,outside) tcp interface 6883 6883 netmask
static (inside,outside) tcp interface 6884 6884 netmask
static (inside,outside) tcp interface 6885 6885 netmask
If you do decide to go the route of doing that, here is a tip that I use when I'm doing something like this.

Create a spreadsheet (eg. Excel) and create the columns like this:

column 1, row 1 = "static (inside,outside) tcp interface "
column 2, row 1 = "6881"
column 3, row 1 = " "
column 4, row 1 = "6881"
column 5, row 1 = " netmask"

So that if you read across the first row, you have a single full ACL line spread out through the columns.

Next, you setup an incrementing sequence in the two columns that your port number is in (columns 2 & 4 in my example above) and make them increment up to the desired number. This is easy to do in Excel and the OpenOffice spreadsheet program simply by dragging the lower right hand corner of the cell downwards and it increments it as you go. Copy the other three columns downwards as you go.

Once you have it as you want it, export it as a "space delimited" file, which you can then import into your PIX config. Don't worry about any excess spaces, the PIX simply ignores them as whitespace.
chinsterAuthor Commented:
Well I guess then the only answer is to add a static for each port, I was worried that was the answer!

Do any of you guys know whether this would slow the pix down having this many rules?

Again thanks for all your help!
ooppps you are right.....
I missed that.....it looks like he is going to two different servers on the inside with a single IP ADDRESS
That can't be done....
WRITE the 100+ statics is the only way....
My comments will only work if all traffic is going to the same server....
he does still need to do a reboot after all static changes.....
Good Luck...
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup topic area:
Split: td_mile & lrmoore

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

EE Cleanup Volunteer

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 4
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now