Showing results for 
Search instead for 
Did you mean: 


PIX 501 and Static NAT


i am a niubie here and i need a suggestion how to configure my Pix 501.

I have an IP Phone which need to reach the IP Central which is in another lan and i need to arrive there with the ADSL connection.

Now i have a public ip on my PIX (89.x.x.34) and i'll point there with the IP phone. But i have to tell the PIX to forward all the traffic UDP and TCP arriving  from the port 5060 and forward it in the corresponding internal LAN IP of the IP Central (192.168.x.50).

They told me to open ports of the range UDP 10.000 - 15.000 but i don't know why.

As i told you i am new and i don't know how to do it

I tryed the following but without success:

try #1: ip nat inside source static tcp 192.168.x.50 5060 89.x.x.34 5060 extendable

try #2: static (inside) TCP 192.168.x.50 89.x.x.34 eq 5060

do you have any suggestions to help me?

Thanks in advance.



Hi Stefano,

For a static NAT you would do this

static (inside,outside) 89.x.x.34 netmask

For allowing ports of tcp and udp

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list acl_out extended permit object-group TCPUDP any host 89.x.x.34 range 10000  15000

access-list acl_out extended permit udp any host 89.x.x.34 eq sip

access-group acl_out in interface outside


Here Sip refers toport 5060

Please dont forget to rate helpful posts.

"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."


hi there,

first of all thanks for the answer.

I have some questions:

This line

static (inside,outside) 89.x.x.34 netmask

forwards all the traffic on the il but i have to forward just the protocol 5060 UDP and 5060 FTP traffic on that ip, if i apply that line (and i did ;-) LOL) i blocked all the web on the other clients, so i had to remove the line. To do what i need is enought do this:

static (inside,outside) 89.x.x.34 netmask eq 5060 (??)

or this

static (inside,outside) UDP 89.x.x.34 netmask  (??)

static (inside,outside) FTP 89.x.x.34 netmask  (??)

i couldn't complete the configuation because when i finished to write the line

protocol-object tcp

and i was in this mode DevicePIX(protocol-conf)#

i tryed to  write the access-list part but when i finished to type the 1st line it told me

ERROR: not a valid permission

Can you help me to solve this problem?

Thanks you in advance for your kind answer.


PS: My PIX Version is the 6.3(5)


I forget to write a line

access-group acl_out in interface outside by this you arte only allowing the ports tcp and udp for the range 10000 to 150000

static (inside,outside) 89.x.x.34 192.168.x.50 netmask eq 5060

nat (inside) 1 192.168.x.50
by this you are allowing internet access to the 192.168.x.50 with the port 5060 only

try this

"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

Content for Community-Ad