Port Redirect to Inside Host on a Cisco PIX Firewall

Posted September 23, 2004 by lvance in Cisco firewall

This Tech-Recipes tutorial explains how to configure a PIX to redirect traffic to an inside host via port re-direction. An expample would be if you allowed your PIX to get its external address via DHCP, but you wanted to access a ftp server on the inside of your firewall as well as another host for vnc.

First, you have to add a static entry for the host and port redirecting like this:
static (inside,outside) tcp ftp ftp netmask
static (inside,outside) tcp 5900 5900 netmask

Note: The is your outside interface that was assigned via dhcp.

Then you need to build an ACL to allow access through the PIX:

access-list outside-inbound permit tcp any host eq ftp
access-list outside-inbound permit tcp host host eq 5900

Now, you can ftp from anywhere to the outside IP Address of the PIX and be redirected to on the inside ftp server.

You can now also vnc to the outside interface and be redirected to and access that server via vnc.

This is very helpful at times on smaller PIX’s on broadband connections, etc.

The Conversation

Follow the reactions below and share your own thoughts.

  • groucho

    you need an “access-group” command in there.
    From the pix 6.3 admin guide:
    The following example illustrates the three commands required to enable access to a web server with the external IP address
    static (inside, outside) netmask 0 0
    access-list acl_out permit tcp any host eq www
    access-group acl_out in interface outside

  • Anonymous

    What port do you use to access a Windows VPN server on the inside of the firewall?

  • Donna

    you saved my night after 5 hours of searching. thanks very much,very much

  • nidz

    I know this how to is already old but it helps me solved the issue of Port Forwarding to our host in the inside network.

    Great job thanks …