In article , AM wrote: :I have a PIX running 6.3(4).
:denying traffic to a particular port from external source (Internet) to internal servers will be :seen a status filtered by programs like nmap.
That is normal. nmap reports that because it does not get back a TCP SYN ACK response, and also does not get back an ICMP time-exceeded or ICMP network-unreachable or ICMP port-unreachable . nmap is, in other words, detecting that the packets are being dropped somewhere along the line.
There is a 'service' which tells the PIX to generate TCP RST instead of just dropping the packets. That's usually not turned on because it makes it easier for outsiders to map your network (and to detect that it's a PIX protecting the network.)
:I would traffic coming on a particular IP be redirected by rules. Is it possible? I mean ports I :interested to must be effectively redirected to my server, all the other should be redirected to a :virtual IP.
That's not as easy to configure as one might prefer, in that static without ports has higher priority than static with ports -- so one cannot configure as "static through these particular ports, and for everything else, fall back to the regular static that covers all the ports."
I believe, though, that one might be able to configure it using policy static; it might take a bit of fiddling to work.
:I would, moreover, select action to do based on packets' source.
That's the realm of policy static. Policy static is, though, nearly the lowest priority: only regular nat is lower priority (and possibly policy nat too.) To make things work out, one might end up having to use a bunch of "range" specifiers.