Showing results for 
Search instead for 
Did you mean: 


PIX 6.3 Dynamic UDP port application support

We have a PIX525 running 6.3(4). We are trying to get applications that run on dynamic UDP ports to work with out success. We have added all statements to our outside ACL but they dont seem to have any effect.


Hi there,

I've just had a squiz at the config.

The outside access-list COD_4 is allowing udp traffic on ports 1500, 3005, 3101, 28960 and 50101 to the interface on the outside of the pix.

You're natting all traffic from the inside to the outside networks so that the source of a packet that is leaving the pix is the outside ip address of the pix (  This is normal.

Can you tell me a few things first:

1.  Is the device that you're trying to access located on the outside of the pix?

2.  Is the device your initiating access from on the inside of the pix?

if yes to the above 2 questions, the COD_4 access list should be amended to have the source port as the udp ports.  ie something like:

access-list COD_4 permit udp host UDP_HOST eq 1500 interface outside
access-list COD_4 permit udp host UDP_HOST eq 3005 interface outside
access-list COD_4 permit udp host UDP_HOST eq 3101 interface outside
access-list COD_4 permit udp host UDP_HOST eq 28960 inteface outside
access-list COD_4 permit udp host UDP_HOST eq 50101 interface outside

This is because the traffic being initiated from the inside will have the destination port as the udp ports above which means traffic returning from the destination host, through the pix to the source host will have the source ports of the udp port numbers above.

Having said that, if the traffic is being initiated from a host on the outside of the pix, and the traffic is trying to traverse the pix from outside to inside, then your access-list is correct (although it might be a good idea to put an explicit deny ip any any log on the end, just to see drops).  What you're missing in that regard would be static port forwards which tell the pix where to send the traffic on the inside interface once it has entered the outside interface.

For example, lets assume that an outside host wants to get to udp port 1500 on a server hidden behind the pix (in this exampl  The outside host would need to connect to the pix's outside address with destination port 1500.  The pix needs to be told where to then send the request on the inside network.

static (inside,outside) udp interface 1500 1500 netmask 0 0

That command tells the pix to translate any udp queries hitting the outside interface on port 1500 to translate the destination address to the device and send it on its way to the inside interface.

Hope that helps, if it does can you please rate the post?


Recognize Your Peers
Content for Community-Ad