Opening up a port

Unanswered Question
Feb 28th, 2007

Question for you I have a 515E firewall and I have an internal machine that needs to connect an external host on the internet inorder for me to do that all I would need to do is:

nat(inside) 100

global(outside) 100

I don't need to specify the ip address and port number of the distant end machine:

nat(inside) 100 4001

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Wed, 02/28/2007 - 09:10

Um, not quite. Define what all those ip's are for us and we'll show you how to do it. I'm assuming you cannot get anywhere outside yet? As long as you don't have an acl on the inside interface and your nat is set up, inside will be able to go anywhere outside by default.

wgranada1 Wed, 02/28/2007 - 09:17

I have an internal machine and I need it to connect to an external machine via the internet. The external machines ip and port are port 4001

IP address is cognet the internet provider

wgranada1 Wed, 02/28/2007 - 09:26

sorry to answer your question yes currently that internal machine cannot get out it this is a new connection

acomiskey Wed, 02/28/2007 - 09:31

Allowing the port out is not your problem. Can you post your pix config and give us a topology of your network with ip address scheme. thanks.

wgranada1 Wed, 02/28/2007 - 09:52

topology goes as follows:

chirt1 -> chipix1 -> chirt5 -> Cogent network

suschoud Mon, 03/05/2007 - 08:28


an example:

inside ip:

an ip address on internet :

inside ip need to contact

what u need :

nat (inside) 1

global (outside) 1 interface while going outside on internet to will get translated to the outside interfaces ip address.

source ip address on inside :

destination ip address on inside :


when this packet reaches the outside interface of firewall:

source ip address of packet : outside interface's ip address.

destination ip address :


inside:sec level 100

outside: sec level 0

when u send traffic from higher sec level interface (inside) to lower sec level interface (outside),you need the translation rule defined for nat or pat.

(nat and global ) commands.

as we say,by default the traffic is allowed from higher sec zone to lower one,by that we mean that we do not need any access-list to permit the traffic.

that is,if there's no access-list on inside interface,all the traffic is allowed to go to outside ,if we have corresponding nat and global.

if you have put even a single access-list on inside interface,then you need to define access-list for all the traffic,you need to permit.( as in the end of the access-list,there's an implicit deny ).

now,in your case,you should be able to access that remote ip on internet.

hope this clears how pix/asa works.


This Discussion