PIX 501 service group forwarded to internal host

Posted on 2005-04-20
Last Modified: 2007-02-13
Hi all experts,
Is there a way to forward a service group to an internal host on the pix 501?  Basically what I need to do is open about 2000 ports to a specific host and am trying to find out if i can avoid creating 2000 translation rules...

Let me know if that is doable and how.

Thanks much!
Question by:maredzki
    LVL 10

    Expert Comment

    Create a single translation rule that maps one public IP to the internal host.  Create an access list that allows the port range using  the aforementioned service group.  You cannot use service groups to define NAT -- only access lists.  If you do not have an available public IP, buy a block from your provider.
    LVL 2

    Author Comment

    So are you telling me that using a single public IP I cannot do multiple service groups and/or single ports forwards to different internal hosts?  I am able to forward multiple single ports to different hosts, but cannot figure out how to do groups.

    Is that my final answer from ruddg?  
    LVL 10

    Accepted Solution

    Yes, as you have noted, you can create ~65K port forwards to as many hosts as you like using a single public IP, but you cannot do "group" port forwards.  The service group feature applies only to the access lists, not to NAT/PAT.  You can still use the service group to create the access list, but you would need multiple translation statements to forward a block of ports to a specific internal host.  Final answer. :-(

    LVL 2

    Author Comment

    Thanks for your help ruddg, inspite of the answer I was looking for :-)

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now