Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco PIX501 inbound deny

I'm trying to translate port 8080 on the external interface to port 80 on the host and ran the following commands. h.h.h.h is the host I want to have http traffic go to and y.y.y.y is the static outside address of the PIX. The first command is from the PDM, the second is from a best guess as using the CLI to make it work.


name h.h.h.h webserver

pdm location h.h.h.h inside

static (inside,outside) h.h.h.h h.h.h.h netmask 0 0

access-list inbound_web permit tcp any host webserver eq 8080

static (inside,outside) tcp y.y.y.y 8080 h.h.h.h 80 netmask

access-group inbound_web in interface outside

wr mem

clear xlate


Here's what the log shows:

106023: Deny tcp src outside: dst inside:y.y.y.y/8080 by access-group "inbound_web"


Now, is the log entry telling me something when there is the word "inside" next to the external IP address?????

Thanks in advance!

Cisco Employee

Re: Cisco PIX501 inbound deny


If your webserver is h.h.h.h, your ACL is wrong.

You are not allowing traffic to the public IP address (y.y.y.y)

Please check below:

h.h.h.h = webserver internal IP address

y.y.y.y = webserver public IP address

Now you want to redirect incoming traffic over port 8080 from the outside to go to the internal host over port 80

static (inside,outside) tcp y.y.y.y 8080 h.h.h.h 80 netmask

Now the ACL

access-list inbound permit tcp any host y.y.y.y eq 8080

access-group inbound in interface outside

Hope it helps,

Franco Zamora

New Member

Re: Cisco PIX501 inbound deny

Worked great, thanks!

Cisco Employee

Re: Cisco PIX501 inbound deny


I'm happy to hear that! Please remember to rate my post!

Have a nice day!

Franco Zamora


Re: Cisco PIX501 inbound deny


Your access list isn't correct.

If h.h.h.h is an internal IP address, and y.y.y.y is an external IP address, the packet that hits the ACL will be destined for y.y.y.y. (ACL is checked before NAT occurs)

You have the name 'webserver' set up to be h.h.h.h. Change it to be y.y.y.y (if you're not using that name elsewhere) and it should fix itself.


Please rate this message if it helped solve some or all of your issue.

CreatePlease login to create content