Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Access Server from Real IP

I have Cisco PIX (Version 6.2) which is running in our infrastructure. I have a server with Local IP ( and I want to be access this server through internet (Real IP:  I just entered the command " static (inside,outside) netmask 0 0 " in the OIX but i didn't access the server. Can You please help me how can i access this server throug real IP from internet in outside network.




Everyone's tags (1)
Cisco Employee

You would also need to

You would also need to configure access-list on the outside interface to allow the inbound traffic.

I am assuming that you have security level of 100 for the inside interface, and 0 for the outside interface, right?

Cisco Employee

Jouni is right, the ACL that

Jouni is right, the ACL that you applied to the outside interface only allows ICMP.

It seems to me that you have new IP Address (, is this a new IP that has been assigned by your ISP to your company? That IP Address is not in the same subnet as your outside subnet, so need to ensure that the IP Address belongs to your company, and not assign to other company, and it is being routed to your PIX outside interface ( You can run a packet capture on the PIX outside interface, and see if you are seeing any hitcount as you ping from the Internet. If you see hitcount, that means it is being routed correctly. If you are not seeing any hitcount, it means either the IP Address isn't assigned to your company or it is being routed incorrectly. If you are seeing hitcount, you just have to configure ACL to allow access that you require inbound to that IP Address on the outside interface.


Hope that helps.

Super Bronze

Hi, Are you sure your



Are you sure your internal IP address is That seems to be a public IP address actually as the private IP address range is -


Then again I guess it does not matter as long as the internal subnet is using that same address space as the host and NAT is being performed on the firewall.


Since you have configured the Static NAT for the host have you also configured the ACL to allow traffic to this host from the external network? You are running such an old software that I am not sure was this configured using the "conduit" or was it already "access-list".


Naturally you could share the configuration (edit any sensitive information away from the configuration before sharing) so we can take a look what might be the problem.


- Jouni

Community Member

Hi,Please find the attached


Please find the attached latest configuration.


Can You please mentioned configuration /command which i included in our pix.




Super Bronze




I am not sure if you have changed the ACL configurations during this new configuration but the ACL configuration seems a bit strange


The following command tells you what ACL is attached to the "outside" interface to control inbound connections


access-group ping_acl in interface outside


If we look at the ACL it only permits ICMP

access-list ping_acl permit icmp any any


You also have the following ACL configuration on your PIX but its not in interface use at the moment


access-list outside_access_in permit tcp any host gw-outside eq 3389
access-list outside_access_in permit tcp any host gw-outside eq https
access-list outside_access_in permit tcp any host gw-outside eq www
access-list outside_access_in permit tcp any host gw-outside eq pop3
access-list outside_access_in permit tcp any host gw-outside eq smtp
access-list outside_access_in permit icmp any any


The above ACL would look to me the ACL you should be using considering that you also have Static PAT (Port Forward) configured for those ports (Static PAT configuration below)


static (inside,outside) tcp interface www smtp-inside www netmask 0 0
static (inside,outside) tcp interface pop3 smtp-inside pop3 netmask 0 0
static (inside,outside) tcp interface smtp smtp-inside smtp netmask 0 0
static (inside,outside) tcp interface https smtp-inside https netmask 0 0
static (inside,outside) tcp interface 3389 smtp-inside 3389 netmask 0 0


So if you want to change the above ACL to be used on your external interface then you need to issue this command


access-group outside_access_in in interface outside


You will also need to add rule for the new public static IP address you used in the Static NAT configuration.


To allow traffic to the new internal host you would have to add something like this. Notice that I only gave an example. You simply need to add statements for the ports/protocol that need to be allowed through the firewall to this internal host. I don't think you mentioned them in the original post so I don't know exactly what needs to be allowed.


access-list outside_access_in permit tcp any host eq <port number>
access-list outside_access_in permit udp any host eq <port number>


Hope this helps :)


- Jouni

CreatePlease to create content