Pix 501 Port Fowarding

Posted on 2006-05-03
Last Modified: 2010-04-08
How do i foward ports on my pix 501?

i've been reading here, and i tried:

static (inside,outside) tcp A.A.A.A 7000 B.B.B.B 7000 netmask
static (inside,outside) tcp A.A.A.A 443 B.B.B.B 443 netmask

access-list outside_in permit tcp any host A.A.A.A eq 7000
access-list outside_in permit tcp any host A.A.A.A eq 443

where A.A.A.A is the outside IP of the pix, and B.B.B.B is the inside ip address of the server.

i also used:

access-group outside_in in interface outside

to apply the access list.

however, when i test for connectivity:

dan@server [~]# telnet A.A.A.A 7000
Trying A.A.A.A...
telnet: Unable to connect to remote host: Connection refused

the server i attempted to connect from is an unfirewalled server on an unrelated network.

Question by:Daenks
    LVL 9

    Accepted Solution

    The first thing that you need to do is make sure that the services you want are working locally.
    So you need to test telnet on 7000 and https from your own local network to verify that they are working.
    If they are working locally, but not externally, then try making the following changes:

    1) remove all the static and access-list you have configured.

    2) replaced them with the following:

    static (inside,outside) tcp interface 7000 B.B.B.B 7000 netmask
    static (inside,outside) tcp interface 443 B.B.B.B 443 netmask
    access-list acl_out permit tcp any interface outside eq 7000
    access-list acl_out permit tcp any interface outside eq 443
    access-group acl_out in interface outside
    clear xlate

    In most cases, you need to use the word "interface" on the static port redirection in place of the PIX actual
    outside IP address or otherwise it will not work.

    Try it and let us know.

    LVL 2

    Author Comment

    thanks :)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
    Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now