• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 592
  • Last Modified:

PIX 501 port forwarding not forwarding

I have a PIX 501 which is routing Remote Desttop on the primary interface IP of 66.xx.xx.186 to a server of This works...
However, I am trying to route port 3389 for Remote Desktop for another external IP of 66.xx.xx.187 to an internal machine of and this is NOT working.

I see in show access-list a hitcnt showing the hit, but no connection is established.
The same thing happens when I try to forward port 3390 on the outside interface (66.xx.xx.186) to 3389 on the machine.... The hit count increases, but no connection.

I am able to Remote Desktop to the machine just fine on the LAN, it has no firewall running on it.
The same thing happens for port 8080, which I can hit with a browser via the LAN, but not if I configure it on the PIX...

I also cannot ping the 66.xx.xx.187 real world IP, but I CAN ping the *.186 IP from outside the LAN

Below is some of my config...

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any host 66.xx.xx.186 eq 3389        DOES WORK
access-list outside_access_in permit tcp any host 66.xx.xx.187 eq 3389        DOES *NOT* WORK
access-list outside_cryptomap_20 permit ip interface outside
access-list inside_outbound_nat0_acl permit ip
access-list inside_outbound_nat0_acl permit ip interface outside
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 66.xx.xx.186
ip address inside
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0 0
nat (inside) 1 0 0
static (inside,outside) tcp 66.xx.xx.186 3389 3389 netmask 0 0    WORKS
static (inside,outside) tcp 3389 3389 netmask 0 0   DOES *NOT* WORK
access-group outside_access_in in interface outside
route outside 1

So the issues are...

No ability to get to 66.xx.xx.187 via remote desktop
No ability to ping the machine associated with .187 (not a big deal, but what am I missing here?)

output from show access-list:

access-list outside_access_in line 2 permit tcp any host 66.xx.xx.186 eq 3389 (hitcnt=5)   WORKS

access-list outside_access_in line 16 permit tcp any host 66.xx.xx.187 eq 3389 (hitcnt=4)  DOES *NOT* WORK...

Thank you,


  • 2
  • 2
2 Solutions
Look for typos in the address.

Verify RDP works from the inside.

Ping will not work with _port_ forwarding, only full NAT will pass the pings...

Does any other address in the range work? I noticed the PIX external address is also 186 (which is why it returns the ping).

Swap the two static translations and see which one still works. Your provider may not be routing the rest of the address space to your PIX (doubtful, but possible).

if you're getting hits on that access list then it should be working.  like minmei recommended, verify that RDP works from the inside to that client.  Either RDP isn't on or the firewall is blocking it.

Also, just to be sure the packets are passing thru like they should be run a capture on the inside interface of the pix to ensure that the packets are being relayed
PlusIncAuthor Commented:
access-list outside_access_in line 16 permit tcp any host 66.xx.xx.187 eq 3389 (hitcnt=7)

I keep watching the hitcnt increase, but no connection made =(

yes, I can get to the internal machine on the LAN, but not on the outside....
Very odddddd.

now, as a test, I routed 3389 on the main interface IP to the machine I wanted on the LAN, and it still would not route through... GRRRRR

I did clear xlate and clear local, etc...  

It's those hit counts that blow me away... So the PIX is accepting the traffic, routing it? Maybe the machine is the problem? Hrmmmmm


did you run a capture on the inside interface of the pix to make sure you saw the packets being sent.  

pixfirewall(config)#capture cap_in interface inside
pixfirewall(config)#show capture cap_in | grep

also make sure that from the firewall you can ping just to make sure

PlusIncAuthor Commented:
OMG I am a dunce!

The machine I was wanting to forward to did not have a gateway set on it!!!!!!!!!!!  I had to physically get to this location to check it because I did not have a login/password to get into the box over the LAN (from remote desktop connection I had to the server)....

WOW... Okay, color me stupid.

Thank you all for your help, I am applying points to everyone! hahahaha

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now