Not sure what the ipfilter lingo is for what i want to do so I will demonstrate with a Cisco PIX ACL. access-list outside_access_in permit tcp any host 1.1.1.1 eq 3306 There would be a static for the 1.1.1.1 address: static (inside,outside) 192.168.1.1 1.1.1.1 Where the MySQL server is running on host 192.168.1.1 and that ip is mapped via a static translation to 1.1.1.1 on the PIX's outside interface.