PIX 501 port forwarding not forwarding

Posted on 2006-04-20
Last Modified: 2012-05-05
I have a PIX 501 which is routing Remote Desttop on the primary interface IP of 66.xx.xx.186 to a server of This works...
However, I am trying to route port 3389 for Remote Desktop for another external IP of 66.xx.xx.187 to an internal machine of and this is NOT working.

I see in show access-list a hitcnt showing the hit, but no connection is established.
The same thing happens when I try to forward port 3390 on the outside interface (66.xx.xx.186) to 3389 on the machine.... The hit count increases, but no connection.

I am able to Remote Desktop to the machine just fine on the LAN, it has no firewall running on it.
The same thing happens for port 8080, which I can hit with a browser via the LAN, but not if I configure it on the PIX...

I also cannot ping the 66.xx.xx.187 real world IP, but I CAN ping the *.186 IP from outside the LAN

Below is some of my config...

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any host 66.xx.xx.186 eq 3389        DOES WORK
access-list outside_access_in permit tcp any host 66.xx.xx.187 eq 3389        DOES *NOT* WORK
access-list outside_cryptomap_20 permit ip interface outside
access-list inside_outbound_nat0_acl permit ip
access-list inside_outbound_nat0_acl permit ip interface outside
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 66.xx.xx.186
ip address inside
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0 0
nat (inside) 1 0 0
static (inside,outside) tcp 66.xx.xx.186 3389 3389 netmask 0 0    WORKS
static (inside,outside) tcp 3389 3389 netmask 0 0   DOES *NOT* WORK
access-group outside_access_in in interface outside
route outside 1

So the issues are...

No ability to get to 66.xx.xx.187 via remote desktop
No ability to ping the machine associated with .187 (not a big deal, but what am I missing here?)

output from show access-list:

access-list outside_access_in line 2 permit tcp any host 66.xx.xx.186 eq 3389 (hitcnt=5)   WORKS

access-list outside_access_in line 16 permit tcp any host 66.xx.xx.187 eq 3389 (hitcnt=4)  DOES *NOT* WORK...

Thank you,


Question by:PlusInc
    LVL 7

    Assisted Solution

    Look for typos in the address.

    Verify RDP works from the inside.

    Ping will not work with _port_ forwarding, only full NAT will pass the pings...

    Does any other address in the range work? I noticed the PIX external address is also 186 (which is why it returns the ping).

    Swap the two static translations and see which one still works. Your provider may not be routing the rest of the address space to your PIX (doubtful, but possible).

    LVL 25

    Accepted Solution

    if you're getting hits on that access list then it should be working.  like minmei recommended, verify that RDP works from the inside to that client.  Either RDP isn't on or the firewall is blocking it.

    Also, just to be sure the packets are passing thru like they should be run a capture on the inside interface of the pix to ensure that the packets are being relayed

    Author Comment

    access-list outside_access_in line 16 permit tcp any host 66.xx.xx.187 eq 3389 (hitcnt=7)

    I keep watching the hitcnt increase, but no connection made =(

    yes, I can get to the internal machine on the LAN, but not on the outside....
    Very odddddd.

    now, as a test, I routed 3389 on the main interface IP to the machine I wanted on the LAN, and it still would not route through... GRRRRR

    I did clear xlate and clear local, etc...  

    It's those hit counts that blow me away... So the PIX is accepting the traffic, routing it? Maybe the machine is the problem? Hrmmmmm


    LVL 25

    Expert Comment

    did you run a capture on the inside interface of the pix to make sure you saw the packets being sent.  

    pixfirewall(config)#capture cap_in interface inside
    pixfirewall(config)#show capture cap_in | grep

    also make sure that from the firewall you can ping just to make sure


    Author Comment

    OMG I am a dunce!

    The machine I was wanting to forward to did not have a gateway set on it!!!!!!!!!!!  I had to physically get to this location to check it because I did not have a login/password to get into the box over the LAN (from remote desktop connection I had to the server)....

    WOW... Okay, color me stupid.

    Thank you all for your help, I am applying points to everyone! hahahaha

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
    This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
    This video discusses moving either the default database or any database to a new volume.
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    25 Experts available now in Live!

    Get 1:1 Help Now