Static Port Forwarding

Unanswered Question

I am trying to set up static single (1) and range (2) port forwarding on PIX 506E device using the following commands; however it is not working. What am I missing?

Single Port Forwarding

1. static (inside,outside) tcp 24.172.x.x 5631 5631 netmask

access-list PCA permit tcp any host 24.172.x.x eq 5631

access-group PCA in interface outside

Port Range Forwarding

2. object-group service pearl_echo_tcp tcp

port-object range 57345 57370

access-list PE permit tcp any host 24.172.x.x object-group pearl_echo_tcp

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kaachary Mon, 02/19/2007 - 10:03

Looks good to me..can you make sure yu do not have any inbound ACL on Inside Interface.

Also, try doing a telnet to the 24.x.x.x ip on port 5631 from outside. Does that work ?


vitripat Mon, 02/19/2007 - 18:06

static (inside,outside) tcp 24.172.x.x 5631 5631 netmask

The static command above looks fine. However, looking at port no. 5631, are you trying to pass PCAnywhere through PIX? If so, you also need to open port 5632 (UDP).

static (inside,outside) udp 24.172.x.x 5632 5632 netmask

On the access-list applied to outside interface in inbound direction, you need to have following lines in-

access-list PE permit tcp any host 24.172.x.x eq 5631

access-list PE permit udp any host 24.172.x.x eq 5632


object-group service pearl_echo_tcp tcp

port-object range 57345 57370

access-list PE permit tcp any host 24.172.x.x object-group pearl_echo_tcp


What is the requirement of above commands? If you need to allow inbound access to 24.172.x.x on ports from 57345-57370, we will need to add individual static command for each port.

I hope this helps.



vitripat Tue, 02/20/2007 - 09:08

You can check if there is any access-list applied on the inside interface using following command-

show access-group

If you see any access-group on inside interface, that access-list is applied on inside interface of PIX.

To allow pc-anywhere through PIX, as I mentioned earlier, you only need to redirect following ports from public IP to the internal IP-

5631(tcp) & 5632(udp)

Assuming that public IP is -- public

and private IP is -- private

Following commands are required-

static (inside,outside) tcp public 5631 private 5631

static (inside,outside) udp public 5632 private 5632

access-list 101 permit tcp any host public eq 5631

access-list 101 permit udp any host public eq 5632

access-group 101 in interface outside

let me know if this helps.



vitripat Tue, 02/20/2007 - 14:49

Could you provide the output of following commands-

show static

show access-list

show access-group

Interestingly enough show static and show access-group did not show any entries. I got all my access list displayed when using show access-list command.

I ended up creating all static entries throgh PIX device manager and now all statics are displayed and working properly; however show access-group displays only the list access-group I created. Any reason why?

kaachary Wed, 02/21/2007 - 09:08


"sh access-group" will only show you the access-group and the interfacce its applied to.

If you want to check the entries the int haccess-list, you to do a "sh access-list "

Sh static should show all the statics, if there's any. I'm not sure, why its not displaying that.


kaachary Wed, 02/21/2007 - 09:43

That is the command for 7.X code..

Its PIX 506E.


leowong Mon, 02/26/2007 - 03:01

Possible to do port forward on PPTP tunnel? As it only accept TCP or UDP, if i have a server that behind the firewall, that need to terminate PPTP sessions, and i only have one public IP..... what should i do?

thanks in advance.



This Discussion