Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Opening up a port

Question for you I have a 515E firewall and I have an internal machine that needs to connect an external host on the internet inorder for me to do that all I would need to do is:

nat(inside) 100

global(outside) 100

I don't need to specify the ip address and port number of the distant end machine:

nat(inside) 100 4001


Re: Opening up a port

Um, not quite. Define what all those ip's are for us and we'll show you how to do it. I'm assuming you cannot get anywhere outside yet? As long as you don't have an acl on the inside interface and your nat is set up, inside will be able to go anywhere outside by default.

New Member

Re: Opening up a port

I have an internal machine and I need it to connect to an external machine via the internet. The external machines ip and port are port 4001

IP address is cognet the internet provider

New Member

Re: Opening up a port

sorry to answer your question yes currently that internal machine cannot get out it this is a new connection


Re: Opening up a port

Allowing the port out is not your problem. Can you post your pix config and give us a topology of your network with ip address scheme. thanks.

New Member

Re: Opening up a port

Here is config...

New Member

Re: Opening up a port

topology goes as follows:

chirt1 -> chipix1 -> chirt5 -> Cogent network

Cisco Employee

Re: Opening up a port


an example:

inside ip:

an ip address on internet :

inside ip need to contact

what u need :

nat (inside) 1

global (outside) 1 interface while going outside on internet to will get translated to the outside interfaces ip address.

source ip address on inside :

destination ip address on inside :


when this packet reaches the outside interface of firewall:

source ip address of packet : outside interface's ip address.

destination ip address :


inside:sec level 100

outside: sec level 0

when u send traffic from higher sec level interface (inside) to lower sec level interface (outside),you need the translation rule defined for nat or pat.

(nat and global ) commands.

as we say,by default the traffic is allowed from higher sec zone to lower one,by that we mean that we do not need any access-list to permit the traffic.

that is,if there's no access-list on inside interface,all the traffic is allowed to go to outside ,if we have corresponding nat and global.

if you have put even a single access-list on inside interface,then you need to define access-list for all the traffic,you need to permit.( as in the end of the access-list,there's an implicit deny ).

now,in your case,you should be able to access that remote ip on internet.

hope this clears how pix/asa works.

CreatePlease login to create content