Port address translation in in PIX

Answered Question
Aug 13th, 2008


I'm using pix 525 firewall and i want to add a nat entry to accomplish bellow target.

External users direct port 443 requests to unique IP address 203.xxx.xx.xxx, which the PIX redirects to port 8443.

so, if i add it as:

static (inside,outside) tcp 203.xxx.xx.xxx 443 8443 netmask 0 0

kindly can some one advice will this give what i need as mentioned above.

I have this problem too.
0 votes
Correct Answer by Marwan ALshawi about 8 years 2 months ago

it needs clear xlate

and sometimes needs reloading the firewall !!

try it and let me know

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Marwan ALshawi Wed, 08/13/2008 - 03:16

this is exactly what u need

only one more thing u need to add

which is the permit access list

for example

access-list 100 permit tcp any host 23.x.x.x eq 443

access-group 100 in interface outside

good luck

please, if helpful rate

samantha.lk Wed, 08/13/2008 - 18:01

Many thanks for your valuble response.

I have already added that access-list antry also, even I forget to mention it there.

But unfortunately still it is not allowing outsiders to come inside through https.

DO i have to restart the firewall or do a clear xlate command inorder to work that?

further, is there any way to view whether this NAT is working? (any show command or something ..) when i do show xlate command

it only display as

Global Local 10.50.x.xx

and no port numbers are showing.

your kind advice is appreciated.

Marwan ALshawi Wed, 08/13/2008 - 18:13

r u using port 8443 as https in ur internal server?

basicly it should look like

static (inside,outside) tcp 203.xxx.xx.xxx https https netmask

unless u have changed the port number

and sure as u mentioned u have to have permit ACL

do have th proper config on the server it self

i mean the default gateway and so on

try show nat ?

and see the available nat commands

also i would recommend u

after changing any NATing to do

clear xlate

if didnt work

reload the firewall

then test the nat again

good luck

please if helpful rate

samantha.lk Wed, 08/13/2008 - 18:44

it was Nice to see your prompt response..

As u think I'm using port 8443 as https in my internal server.

let me expalin bit more about this senario.

previously our company requirment was provide access for outsiders to access this server on port 8443. (same as the servers https port 8443). so i make changes and it was working fine.

Now they wanted outsiders to access it through port 443 and redirecting that trafic as 8443 to the internal server from the PIX.(server side no change)

so what i have done was changed the previous one to one nat as bellow.

OLD- static (inside,outside) tcp 203.xxx.xx.xxx netmask 0 0

NEW- static (inside,outside) tcp 203.xxx.xx.xxx https 8443 netmask 0 0

and provide access-list antry as

access-list 200 line 28 permit tcp any host 203.xxx.xx.xxx eq https

(this is my outside-inbound access list)

kindly mention whether it is really need to do clear xlate? is there any way to only remove a perticular entry?

when i do show nat it doesn't show all natings.(only 2 showing and i have many others also).

Kindly advice.

many thanks for spending your valuble time on this.

Correct Answer
Marwan ALshawi Wed, 08/13/2008 - 18:57

it needs clear xlate

and sometimes needs reloading the firewall !!

try it and let me know

samantha.lk Wed, 08/13/2008 - 22:47

I reloaded the firewall and It is working now!!!

Many thanks for your valuble advices..


This Discussion