Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 501 & pcAnywhere

On a PIX 501 (6.1) with one static IP on a DSL connection, how can I open the tcp 5631 and udp 5632 ports for a pcAnywhere connection from one specific source/external IP to one specific host on the internal network?

I'm using PAT -- global (outside) 1 interface

NAT is set with -- nat (inside) 1

I've tried access-list:

access-list acl_out permit tcp host sss.sss.sss.sss eq 5631 host ddd.ddd.ddd.ddd eq 5631

access-list acl_out permit udp host sss.sss.sss.sss eq 5632 host ddd.ddd.ddd.ddd eq 5632

access-group acl_out in interface outside

I've tried conduit:

conduit permit tcp host ggg.ggg.ggg.ggg eq 5631 host sss.sss.sss.sss eq 5631

conduit permit udp host ggg.ggg.ggg.ggg eq 5632 host sss.sss.sss.sss eq 5632


Do I need to use with the static command and to have a second public IP address for that? Can I use a nat (inside) 0 access-list acl_out command along with my existing nat and global settings?

Again, I only want access to one particular machine behind the PIX.


  • Other Security Subjects
Cisco Employee

Re: PIX 501 & pcAnywhere

Basics first:-

- you need to create a static command and conduit/ACL for any traffic initiated from outside to inside.

- nat/global statements only work for traffic initiated from inside to outside.

Now, for your problem, you need to create a static and do port redirection.

Hope that helps


New Member

Re: PIX 501 & pcAnywhere

Hello all,

I have a conduit command on my PIX that allows a ping from workstations on my lan to reach a remote machine across the net.

conduit permit icmp host

The host ip above is my (outside) IP address on my PIX. How can I accomplish the same thing with an access-list?

I believe NAT allows all (pings) out but the reply just cannot get back in. Do I place an access-group on the (outside) interface "in"


Jerry Roy