Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Pix is confusing me now .

Pix is confusing me now . 11 years 2 months ago #9620

  • Xtreme
  • Xtreme's Avatar
  • Offline
  • New Member
  • Posts: 1
  • Karma: 0
Hi all ..
im getting confused with the access lists on pix .

i have natted (inside,outside) a global ip XYZ to a Private ip 123

now lets say that im running an FTP Server on the local machine on port 30 and i want Users from Outside to Be able to access it through PIX .

So i will Use access list .

Pix got 2 infs *assuming not using DMZ .


Q1 . Where shall i assign the access list ?( using grouping in infs)

Q2. in access list command it should look like this . but which one ?
host (local|global) to any
any to host (local|global) ?

access-list (interfacename) permit tcp any host IPADDY eq 30

which ip should i give the local or xternal ? and should it be ANY to IP
IP to ANY ?

i will be glad if some1 can help me understand this dunno what im doing is rite or wronge .
thnx .
The administrator has disabled public write access.

Pix is confusing me now . 11 years 2 months ago #9685

  • sidd
  • sidd's Avatar
  • Offline
  • Frequent Member
  • Posts: 34
  • Karma: 0

Lets assume that u have an FTP server on the inside network. Its ip address is You want that the users from the outside should be able to access it. For that u need to create two things
1) Access list for an interface
2) Static entry

So lets assumed that u have the public ip address as x.x.x.x (Note:- This x.x.x.x is not supposed to be used anywhere, this IP has to be a free ip address)

So the static entry would be as following for the internal FTP server

Static (inside,outside) x.x.x.x

This command would mapp the internal ip address directly to the external ip address, But people would still not be able to communicate on ur public ip address coz we have not created the access rule for that specific interface...

So the access rule would be like

access-list 101 permit tcp any host x.x.x.x eq ftp

Now this command say's that an access list by the name of 101 would permit communication on TCP protocol from any source to a specific host which is x.x.x.x on a specific port 21.

Now since the users would be coming from outside to inside so that access list has to be binded on the outside interface of the firewall and to achieve that we apply the access-group command

access-group 101 in interface outside.

Few things that u should keep handy with PIX firewall are

static (high,low) low high {Formula for the static command}

The inside interface of the pix would always be on 100 security and outside would be 0. The security on the DMZ would be always between 1-99....
What difference it makes? Well anything coming from a high security zone going to a low security zone is always allowed .... inside interface to outisde interface...

And anything from low security zone to high security zone is always dropped... outside to inside...

so inside to outside is always allowed and inside to dmz is always allowed but from outside to inside is always dropped and outside to dmz is also always dropped. Now from dmz to inside is also dropped .....

Incase u still have any doubts feel free to get back to me ..........

The administrator has disabled public write access.
Time to create page: 0.073 seconds


Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V


  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup