Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Port 9999 through PIX

One of our site offices have a PIX 506E firewall and connectivity through the PIX is all well, except for port 9999.

The access-list applied on outside interface (inbound) is below.

access-list acl_out line 1 permit icmp any any (hitcnt=5)

access-list acl_out line 2 deny ip any (hitcnt=0)

access-list acl_out line 3 permit ip any host (hitcnt=163)

access-list acl_out line 4 permit tcp any host eq 9999 (hitcnt=0)

access-list acl_out line 5 permit ip any host (hitcnt=2)

We need to allow telnet to on port 9999. WHen tried, the hit counter goes up but the PC returns the following message.

C:\>telnet 9999

Connecting To not open connection to the host, on port 9999: Connect failed

However, if tried to telnet on 9999 internally it works fine.

Can anyone see anything that i am doing wrong. Is there any fixup protocols associated that I may need to disable to get this working.

Many Thanks.

Cisco Employee

Re: Port 9999 through PIX

You also need a static command for that host, since this traffic is from lower->higher interfaces.

You cna also run the "capture" command on both the inside and outside interfaces to see the traffic and make sure it's 1) getting through the PIX and 2) getting a reply back from the inside host. The "capture" command is detailed here:

You can define two different ACL's, one for traffic hitting the outside int to/from the PC you're telneting from, and one for traffic hitting the inside int to/from the server. Then run two capture commands, one specifying the first ACL and assigned to the outside int, the other specifying the second ACL and assigned to the inside int. Then after it fails check both captures and you should see the whoel SYN/SYN-ACK/ACK handshake go back and forth. You'll also be able to see where it is failing, and whether it's the inside host or the PIX at fault.

CreatePlease to create content