Cisco PIX translation access issue

Posted on 2011-04-19
Last Modified: 2012-05-11
I'm trying to set up a new pix using the outside interface and translating specific ports to a NAT host on the inside.

Everything looks ok, but I don't see the ACL rules being hit in the ASDM / access rules.  I do get an error: " TCP access denied by AC from (myexternal)/54936 to outside:corepix/23"

name InsideCorePix
name corepix
name APDDevice

access-list outside_access_in extended permit ip host ME host corepix log warnings
access-list outside_access_in extended permit tcp any any eq telnet
access-list DefaultRAGroup_splitTunnelAcl standard permit
access-list inside_access_in extended permit ip any log warnings
access-list inside_access_in extended permit ip host APDDevice any

global (outside) 101 interface
nat (inside) 101
static (outside,inside) APDDevice noncorepix netmask
access-group outside_access_in in interface outside

Is there something special I need to do to allow the outside interface to forward a port to a host on the inside?
Question by:sej69
    LVL 35

    Expert Comment

    by:Ernie Beek
    First change: static (outside,inside) APDDevice noncorepix netmask
    static (inside,outside) noncorepix APDDevice netmask

    I assume noncorepix is an additional public ip address?
    LVL 33

    Expert Comment

    Is this the complete Access-list?  Are there any additional ACEs for 'outside_access_in'?  

    Also, you ask about forwarding a port inside.    How many IPs do you have available from your ISP?   If it is a block of IPs, then you need to make sure that you don't use the same IP on the outside interface that you are trying to use in that static NAT.    Are there additional NAT statements that are not posted?  

    Also, listen to ernie about the format of that static as well.

    LVL 12

    Accepted Solution


    By the error you are getting, you are using same public IP for outside interface and static NAT. If you have only one public IP you will need to do port forwarding like this:
    static (inside,outside) tcp interface telnet APDDevice telnet netmask 0 0

    (More info here

    In this scenario, you will be unable to telnet to corepix from outside. To avoid this problem, do the following:
    static (inside,outside) tcp interface 2023 APDDevice telnet netmask 0 0

    In this case you will need to use telnet to port 2023 to reach APDDevice's port 23. Also you will need to adjust outside ACL:
    access-list outside_access_in extended permit tcp any host corepix eq 2023


    Author Comment

    still working on this

    Author Closing Comment


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Suggested Solutions

    When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now