Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


PIX501: Can have PAT / NAT both active

Posted on 2004-10-28
Medium Priority
Last Modified: 2010-04-09

!--- Both PAT NAT active
global (outside) 1 interface
global (inside) 130200
nat (inside) 1 0 0
Question by:sfaruqi
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 36

Expert Comment

ID: 12442804
What is your exact question?

You can have NAT configured with a range of IP addresses. If you also define a single IP address (PAT) then when and if all the NAT IP's are used it will start to use PAT.

Author Comment

ID: 12444062

I heard that for some applications like Polycom web conferencing NAT is better solution so I want to setup PAT and NAT simultaneously for different applications.

I know how to do PAT for for remote desktop, but to learn more I want to setup NAT for another PC for same service.

access-list outside_access_in permit tcp any interface outside eq 5452
static (inside,outside) tcp interface 5452 3389 netmask 0 0

Can I have both NAT and PAT activate on PIX501 6.3 firewall and if so How?


Author Comment

ID: 12444094
Building configuration...
: Saved
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewalltest
domain-name ciscopixtest.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
object-group service RmDskTp tcp
  description Remote Desk Top
  port-object range 3389 3389
object-group service Port5451http tcp
  description Http Port 5451
  port-object range 5451 5451
access-list outside_access_in permit tcp any interface outside eq 5452
access-list outside_access_in permit tcp any interface outside eq 5455
access-list outside_access_in permit tcp any interface outside eq 5451
access-list nonat permit ip
pager lines 24
mtu outside 1500
mtu inside 1500

!--- Verizon DSL (Static)
ip address outside

!--- Verizon DSL (Dymanic)
NO ip address outside pppoe setroute

!--- Company Server
NO ip address outside dhcp setroute

ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm location outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 130200
nat (inside) 1 0 0
static (inside,outside) tcp interface 5452 3389 netmask 0 0
static (inside,outside) tcp 5451 www netmask 0 0
static (inside,outside) tcp 5455 www netmask 0 0
access-group outside_access_in in interface outside
timeout xlate 1:00:00
timeout conn 0:33:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http outside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public%d
no snmp-server enable traps
no floodguard enable
crypto map mymap 10 ipsec-isakmp
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet outside
telnet timeout 5
ssh timeout 60
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xyz
vpdn group pppoe_group ppp authentication pap
vpdn username xyz password ********* store-local
dhcpd address inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

LVL 36

Accepted Solution

grblades earned 400 total points
ID: 12444867
For internal machines accessing the Internet the difference between NAT and PAT is whether you put a single IP address or a range of IP addresses in the 'global' command.

Completely separately you can also use the 'static' command to allow incoming connections to the servers via PAT/NAT. If you don't specify ports in the static command then everything is translated so it is effectivly NAT. If one external IP address is used like this then you cannot specify the same external address with any other 'static' command.

Do you have a single fixed IP address for your DSL connection?
If you do then you can only really use PAT.
If you have multiple external IP addresses then you can use a combination.

Author Comment

ID: 12463298

Good enough. Thanks. Let me see if I understood right that my above Pix config is based on single public IP and utilizing both PAT and NAT for internal address translation.

And if I get more IP addresses from ISP than I can have one public IP translated to one single Internal address for example my Server.

global (outside) 2 interface
global (inside) 130200
nat (inside) 1 0 0
static (inside,outside) tcp interface 5452 3389 netmask 0 0

!--- Verizon DSL (Static)
ip address outside
ip address outside (Additional IP)

static (inside,outside) tcp netmask 0 0


Author Comment

ID: 12463315
Please if you have time check my other question.

LVL 36

Expert Comment

ID: 12463384
These commands will translate all outbound traffic for machines without a fixed NAT translation using PAT to the external IP address of the PIX:-
ip address outside
global (outside) 2 interface
nat (inside) 1 0 0

You don't need this:-
global (inside) 130200

To add additional NAT entries you just use a 'static' command and don't put additional 'ip address' commands for example:-
static (inside,outside) netmask 0 0
Note there is no 'tcp' parameter since you are defining NAT. If you were defining a static PAT entry you would have the protocol and ports listed aswell.


Author Comment

ID: 12466313
Thanks grblades

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question