We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Enabling RAS on PIX 501

Medium Priority
Last Modified: 2013-11-16

I wish to configure my pix 501 with RAS remote access but I am unsure of what i need to add to my firewall interms of directing traffic to my ras server. What access lists etc will i need to configure for outside access? is there any particular service that i need to add?

Watch Question

What do you want to access from INTERNET?  Internal Server/Computer?  The PIX itself?

If computer:   with  - example:

Just setup port forwarding - example below
      static (inside,outside) tcp interface eq 3389 netmask 0 0 --> forwards RDP to PC
      static (inside,outside) tcp interface eq 5900 netmask 0 0 --> forwards VNC to PC

Filter on source ip address for access allow - example below
      access-list inbound line 1 permit host host eq 3389
      access-list inbound line 2 permit host host eq 5900

If PIX is what you want RAS for:

You need to configure ssh:
      ssh outside -----> the "" allows any host/subnet to ssh to "outside" interface
                                                      adjust the "" to your WAN IP settings

You also need access-list entry to permit tcp port 22 traffic
     access-list inbound line 3 permit tcp any any eq 22


Hope this helps



I need to allow users access to mail/file servers etc.

should i not accept

 static (inside,outside) tcp interface eq 3389 netmask 0 0 --> forwards RDP to PC
      static (inside,outside) tcp interface eq 5900 netmask 0 0 --> forwards VNC to PC

as users will be using the dsl providers ips or is there a better way to lock this down and still allow
First, this is dangerous.  These mail/file servers should be on a dmz interface to segregate your internal network away from things that outside users can access.  I'd point you in the direction of vpn, however, it's much slower and you'd need to have your outside users run a vpn client just to get to their mail....try the dmz approach.


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.