Pix 501 Port Forwarding

Unanswered Question
Jan 17th, 2008
User Badges:

How would I go about the following on a Pix 501?

The following ports need to be forwarded to the phone system (

2944 -2945

49150 - 49154

161 - 162





10020 - 10021

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Collin Clark Thu, 01/17/2008 - 07:19
User Badges:
  • Purple, 4500 points or more


You have two options; create a static for each each port or if you have multiple public IP's you can NAT the entire IP. Here's an example of each.

static (inside,outside) tcp interface 5070 5070 netmask

or to NAT the whole IP

static (inside,outside) [public IP] netmask

Don't forget to create and apply your ACL as well.

HTH and please rate.

cozyk1515 Thu, 01/17/2008 - 07:23
User Badges:

Do I still need to do the ACL if I do option 1?

Also have you used the asdm for the pix? How is it? I prefer the CLI over the SDM for routers.

Collin Clark Thu, 01/17/2008 - 07:43
User Badges:
  • Purple, 4500 points or more

You need an ACL no matter what. The static builds the road for access and the ACLs are the cops that control the traffic. I prefer the CLI, much faster for me and more flexible.

cozyk1515 Thu, 01/17/2008 - 07:50
User Badges:

Sorry I hope I am not being a pain- I am a Router and Switch tech my Firewall person is out.

So I need to do a

access-list newaccesslist permit ip eq 67

for each port?

Collin Clark Thu, 01/17/2008 - 08:15
User Badges:
  • Purple, 4500 points or more

Yes, but the just like on a router you need source address and destination address. Also the destination address is your public address. Also for more security restrict the ports instead of using IP. For example-

access-list newaccesslist permit ip eq 67

should be

access-list newaccesslist permit tcp any host eq 67

The any is the source address. If you only wanted the network you would change any to (note PIX/ASA does not use inverted subnet masks). The host keyword specifies a single host. It's the same as doing

As a quick side note you can also group ports together using object groups. Are you leaning towards multiple statics or just one full NAT? I can help you with ACL, give me a few minutes and I'll post it for you.

Collin Clark Thu, 01/17/2008 - 08:25
User Badges:
  • Purple, 4500 points or more

Here's what you should need. Anything in CAPS you will need to change to fit your real names and IP Addresses. One thing to note is you will not need a new access list if there is already any access list applied to that interface. You can append the entry below, but you will need to change the name of the access list to match the one that is currently applied. If you need help with that, post the results of show run | inc access-group. Also I'm assuming all the port you want opened up are TCP. If that is incorrect do not paste the config below. Let me know what ports are TCP and which are UDP and I'll create a new one for you.

object-group service INSERTNAME tcp

port-object range 2944 2945

port-object range 49150 49154

port-object range 161 162

port-object range 10020 10021

port-object 7

port-object 67

port-object 5060

port-object 5070

access-list newaccesslist extended permit tcp ANY host PUBLICIP object-group INSERTNAME

cozyk1515 Thu, 01/17/2008 - 08:28
User Badges:

Great I think that they are just going to do any any on the permit.

Thank you for you help !!!


This Discussion