NAT the Outside network with PIX firewall

Is it possible to NAT an Outside IP address on the internet to a single Inside IP address on my corporate LAN?

I have an application in my corporate network, which I would like to make available to an external party on the Internet. This application is configured to accept only connections from a specific IP Addresses (like an ACL).

The external party is using an ADSL modem which obtains a random IP Address assigned by the ISP. Therefore, I would like to use NAT on the outside (Internet), to give it a fixed IP Address on the inside on my corporate network.

Is this possible? If yes, what commands do I use to configure it?

Also, please advise if there is any danger in doing so, or what are my alternatives.
Who is Participating?
billwhartonConnect With a Mentor Commented:

I have only read your question and not the other comments in this post. However, I understand your requirements and you are trying to achieve a simple case of BI-directional NAT. What is different about your case is that you need to NAT an dynamic IP(DSL) to an inside IP. Since it is an unknown IP, I suggest these steps:

- Find out what the current IP address of your DSL client is and see what it changes to in a couple of days. Usually, it would change in the same subnet or a very close subnet. Hence, you would be able to calculate a subnet and network mask and if anybody else from this subnet mask tries to access this server, he would be able to get in. That's the security risk though I assume you are also using password authentication on the server.

These statements are to be used:

The dynamic DSL network is after a few days of observation.
Server IP is & is only accepting requests from IP:
You have applied access-list 101 on your outside interface

Needed Statements
global (inside) 5
nat (outside) 5

access-list 101 permit ip host
Or you could limit it to a particular port:
access-list 101 permit tcp/udp host eq (port number)

In case all of this is very confusing, kindly send me your current IP's and your PIX configuration and I would be glad to give you accurate statements which you would simply copy/paste.

As far as security goes, you have to weigh the risks with the benefits. This solution is not your everyday solution but I have seen it implemeneted in difficult situations like thsi.

Thank you

You will be setting up a static nat assignment and they can either direction.  You will need set either a conduit or ACL to allow the proper port to be presented to the outside world.  Is this an application that you be sure that the rest of the world won't bang on?  If it's sensitive enough to worry about, then consider setting up some sort of authentication or authorization schemes before allowing it's use.  You can use local accounts set up on the PIX or TACACS+/RADIUS accounts to prevent unintended use.  That frees you up from thinking about access restrictions based on IP addressing.

Here's the basics of the static NAT logic

1.  The ACL applied to your outside IF needs to include whatever ports this application needs:
access-list outside-ingress permit tcp any host <<OUTSIDEIP>> eq https

2. This is the static address assignment:
static (inside,outside) OUTSIDEIP INSIDEIP netmask 0 0

3. This is the access-list applied to yout outside IF:
access-group outside-ingress in interface outside

If you want to add AAA and you already have some kind of RADIUS running, it's a breeze to add a few special user account and rules to support this.


wlseetAuthor Commented:
By design, the application is coded to accept connections from a specific IP Address.

Since the IP Address from the Internet is random, they cannot access the application unless their IP Address has been defined in the application.

Therefore, I need the IP Address from the Internet, to be translated to an internal IP Address, which is fixed to only 1 internal IP Address for easy maintenance on my application.

How do I do that?
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Your question was:  Is it possible to NAT an Outside IP address on the internet to a single Inside IP address on my corporate LAN?  - The key word being "an", as in a single Outside IP address.

Now you're saying that you want to NAT any Internet address to a single address to present on your LAN.  You know that's about the most backwards implementation you could configure all for "easy" maintenance?

I don't know if the PIX can globally present all Internet addresses through a single internal address, because that would break all other outbound traffic.

You're trying too hard to use IP addresses to create a security configuration.  You need to get over it.  If it's that important to restrict addresses, then have your client come through a VPN tunnel and assign them an internal LAN address.
ccallison explained it fine so i'm not going to reinvent the wheel, but i don't suggest forwarding a whole ext. IP to a whole internal IP....why?

1) hack into that machine and your on the whole network
2) i'm gonna bet it's a windows machine, and thats just asking for trouble
3) figure out what ports it runs on and forward those...

heres my suggestion:

Setup SSH (i love it) on a machine, forward one port (udp/22 i believe) and have them ssh in....right there you can setup port forwarding, and it will look like it's coming from's also VERY secure
If you're not willing to do a vpn solution, then the ssh idea has merit.  Even NAT'ing the ISP's subnet from which your client MIGHT be coming from is a fuzzy solution.  You may break other traffic patterns unintentionally.  It's like installing a peephole on your front door the wrong direction....
Tim HolmanCommented:
I would setup the remote ADSL site with a PIX or Cisco router, and then setup a dynamic VPN from that site to your central site, authenticated by a pre-shared secret known only to you, or better still, a certificate.
That way, it doesn't matter that the address is variable, as the VPN is created based on the authentication alone.

If cost is an issue, set the remote ADSL site up with a VPN Client, so that they can access the application.

..and remember, security based on whether or not a user is behind a specific IP address or not is NOT the way to go.  IP addresses can be spoofed, other users could use his connection, etc etc.

Think about authenticating the user properly.  Maybe even some form of two-factor authenticaiton - RSA SecuID or Alladin e-token.
wlseetAuthor Commented:
I would say that billwharton hit it spot on.
Sorry for the delay, I've been out of reach for a couple of days after the weekend.

I tried the suggestion by billwharton. As my internal IP addresses are not registered IP addresses, I used the static command to give it an "outside" IP address, so that it can be reached.

static (inside,outside) w.x.y.z

where w.x.y.z is the registered IP address I have.

Is this correct?
I assume so, cause it works.

As for security, the application not only accepts connection from a pre-defined IP, it also prompts for authentication (username/password).

I'm awarding full points to billwharton.
Thanks to everyone for their contribution.


I am glad you resolved the problem.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.