Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

different port numbers for the same application


Is that possible to configure 2 different number for the same protocols.i.e there is a fixup command we use in pix firewall:

fixup protocol http 80

fixup protocol http 8090

can somebody tell me whether we can use 2 diferrent port numbers for the same application or not and in what circumstances?


New Member

Re: different port numbers for the same application

I assume you are referring to PIX OS 7.x.

If so, simply modify your class-map to map whatever ports you want. Then apply apply your inspection rule to that class-map inside of your policy-map.

class-map my-app

match-port tcp 80

match-port tcp 8090

policy-map my-map

class my-app

inspect http

service-policy my-map interface myinterface

This should allow you to accomplish what you want. You can get very specific with the class-map and have it only apply to certain traffic based on access lists. Check out the PIX OS 7.x documentation for more, but I think this will get you started.

New Member

Re: different port numbers for the same application

yes, I am using pix OS 7 version. But I would like to know in what circumstances we will be using different port numbers for the same protocol/application? Are we providing extra security by using different port numbers?

New Member

Re: different port numbers for the same application

Sometimes changing the default port does provide for extra security because "kiddie scripters" and botnets may not automatically detect an open port, especially if it's a port of non-interest.

Other times, certain types of HTTP servers and other services run on different IP ports. For example, Apache Tomcat will often run on 8080, Vmware ESX HTTP console runs on 8222, Symantec AV for Exchange HTTP console runs on 8081, etc, etc.

There's also another reason, and that's for PAT. If you have a limited number of external IP addresses. For example, you can port forward outside address to internal and at the same time forward to This way, you are able to publish two internal, physical web servers with only one external IP address. Of course, the :80 port identifier is not necessary in the URI since that is the default HTTP port, but it's included for clarification.

New Member

Re: different port numbers for the same application

Thanks for your reply. I got it now.

Does PIX supports PAT when me create PIX-TO-PIX Ippsec tunnel. Becuase when we create the tunnel all data gets encrypted including header and payload. My quesion is that how does it maintain the uniformity between the different port numbers? Do we need to disable NAT/PAT before creating the tunnel? There is a confusion.....

Can you please explain me?


New Member

Re: different port numbers for the same application

My earlier statements were for non-tunneled traffic only (i.e., originating from the internet.)

It is common practice to disable NAT/PAT when creating IPsec tunnels between PIX firewalls. You can do this with the nat 0 statement. For example,

nat (inside) 0 access-list nonat

You would then create an access list for the traffic that you do not want to NAT (the ipsec traffic).

access-list nonat permit ip

Where is your local network and is the remote network. You would do the reverse the access-list statement on the other PIX.

It is also common practice to enter the following command:

sysopt connection permit-ipsec

That command will let the VPN traffic bypass the access lists configured for regular traffic. In this way, you don't have to create access lists like:

access-list outside2inside permit ip

New Member

Re: different port numbers for the same application

Thanks, yeah it has been resolved.I appreciate it