Enabling RAS on PIX 501

Posted on 2006-03-22
Last Modified: 2013-11-16

I wish to configure my pix 501 with RAS remote access but I am unsure of what i need to add to my firewall interms of directing traffic to my ras server. What access lists etc will i need to configure for outside access? is there any particular service that i need to add?

Question by:bjbit
    LVL 4

    Expert Comment

    What do you want to access from INTERNET?  Internal Server/Computer?  The PIX itself?

    If computer:   with  - example:

    Just setup port forwarding - example below
          static (inside,outside) tcp interface eq 3389 netmask 0 0 --> forwards RDP to PC
          static (inside,outside) tcp interface eq 5900 netmask 0 0 --> forwards VNC to PC

    Filter on source ip address for access allow - example below
          access-list inbound line 1 permit host host eq 3389
          access-list inbound line 2 permit host host eq 5900

    If PIX is what you want RAS for:

    You need to configure ssh:
          ssh outside -----> the "" allows any host/subnet to ssh to "outside" interface
                                                          adjust the "" to your WAN IP settings

    You also need access-list entry to permit tcp port 22 traffic
         access-list inbound line 3 permit tcp any any eq 22


    Hope this helps


    Author Comment


    I need to allow users access to mail/file servers etc.

    should i not accept

     static (inside,outside) tcp interface eq 3389 netmask 0 0 --> forwards RDP to PC
          static (inside,outside) tcp interface eq 5900 netmask 0 0 --> forwards VNC to PC

    as users will be using the dsl providers ips or is there a better way to lock this down and still allow
    LVL 4

    Accepted Solution

    First, this is dangerous.  These mail/file servers should be on a dmz interface to segregate your internal network away from things that outside users can access.  I'd point you in the direction of vpn, however, it's much slower and you'd need to have your outside users run a vpn client just to get to their mail....try the dmz approach.


    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now