Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 501 allow PC Anywhere PAT

Greeting all Cisco PIX followers and enthusiasts.

I've successfully set up the PIX to allow traffic inside to outside without a problem.

I'm having having trouble setting up ACL's for ports, say, 5631 through 5636 on single static IP address assigned by the ISP. Unable to ping to global IP.

I prefer not use conduits. I've setup a static route like so; static (inside,outside) netmask as the PIX is connected to a router on the outside that does all the NAT'ing. Did not use the NAT 0 method. is the network IP of the inside LAN.

I've tried the following:

access-list pcany_data permit tcp any host eq 5631

access-list pcany_status permit udp any host eq 5632

access-group pcany_data in interface outside

access-group pcany_status in interface outside

The 211.236 etc. is the global IP assigned statically by my ISP.

Any comments regarding the syntax of these commands if they are incorrect or if there is another way.

A response encourages me to do likewise those that I can help out as well.


New Member

Re: PIX 501 allow PC Anywhere PAT

You say that the 211.236 etc. is the global IP assigned statically by your ISP. what about the station that run PCAnywhere? Is it inside PIX firewall? If yes who takes care of the NAT for that host? The cisco router? If yes then your access-lists should change and be like:

access-list pcany permit tcp any host 192.168.1.x eq 5631

access-list pcany permit udp any host 192.168.1.x eq 5632

access-group pcany in interface outside

I hope that helps...

New Member

Re: PIX 501 allow PC Anywhere PAT

Thank you for your response, answer to questions are

Global IP is bound the WAN interface on the router.

The router does all the NAT work not the PIX

The router is attached to the outside (off E0)

Station that hosts PC Anyhwere is on the inside (off E1).

I've already tried the access-list commands before I sent off my first posting.

At least that shows I'm heading in the right direction.

Should I post the complete text output of show configure ? it's rather long.

New Member

Re: PIX 501 allow PC Anywhere PAT

It appears the reponse by pavlosd is correct.

What I didn't know at the time though is any number of rules are possible to add to one acl list name but trying to create mutiple acl's and then applying them in succession by access-group in interface command only applies the last acl name in the access-group overiding all those before it and is only applicable where muliple interfaces are available and dirrent acl's for each interface.

New Member

Re: PIX 501 allow PC Anywhere PAT

One problem is you can only have one access-list applied to an interface for each direction. You have tried to add two named access-list to the same interface in the same direction. If you do a wr t, only one should be listed.

CreatePlease login to create content