Port redirect to inside host on a Cisco PIX firewall
Contributed by lvance 
Tagged: Cisco firewall How to configure a PIX to redirect traffic to an inside host via port re-direction. An expample would be if you allowed your PIX to get its external address via DHCP but you wanted to access a ftp server on the inside of your firewall as well as maybe another host for vnc.
First you have to add a static entry for the host and port redirecting like this:
static (inside,outside) tcp 68.206.140.100 ftp 192.168.1.100 ftp netmask 255.255.255.255
static (inside,outside) tcp 68.206.140.100 5900 192.168.1.110 5900 netmask 255.255.255.255
Note: The 68.206.140.100 is your outside interface that was assigned via dhcp.
Then you need to build an ACL to allow access through the PIX:
access-list outside-inbound permit tcp any host 68.206.140.100 eq ftp
access-list outside-inbound permit tcp host 65.205.64.60 host 68.206.140.100 eq 5900
Now you can ftp from anywhere to the outside IP Address of the PIX and be redirected to 192.168.1.100 on the inside ftp server.
You can now also vnc to the outside interface and be redirected to 192.168.1.110 and access that server via vnc.
This is very helpful at times on smaller PIX’s on broadband connections etc.
You may also like -
PPTP (Point-to-Point Tunneling Protocol) through PIX Firewall
PPTP on Cisco ASA or PIX 6.3 or later code
SSH configuration on PIX Firewall
Static map to internal device on a PIX
Cisco PIX: Password recovery/reset
Cisco PIX Logging: Debugging to Emergency
Use your Android Device to Control Torrent Downloads on your Main Computer
Load a new Cisco PIX software image from a TFTP server
groucho said on December 15, 2009
you need an “access-group” command in there.
From the pix 6.3 admin guide:
The following example illustrates the three commands required to enable access to a web server with the external IP address 209.165.201.12:
static (inside, outside) 209.165.201.12 10.1.1.3 netmask 255.255.255.255 0 0
access-list acl_out permit tcp any host 209.165.201.12 eq www
access-group acl_out in interface outside
Anonymous said on January 29, 2010
What port do you use to access a Windows VPN server on the inside of the firewall?
Donna said on December 14, 2011
you saved my night after 5 hours of searching. thanks very much,very much