PIX501: Can have PAT / NAT both active

Posted on 2004-10-28
Last Modified: 2010-04-09

!--- Both PAT NAT active
global (outside) 1 interface
global (inside) 130200
nat (inside) 1 0 0
Question by:sfaruqi
    LVL 36

    Expert Comment

    What is your exact question?

    You can have NAT configured with a range of IP addresses. If you also define a single IP address (PAT) then when and if all the NAT IP's are used it will start to use PAT.

    Author Comment


    I heard that for some applications like Polycom web conferencing NAT is better solution so I want to setup PAT and NAT simultaneously for different applications.

    I know how to do PAT for for remote desktop, but to learn more I want to setup NAT for another PC for same service.

    access-list outside_access_in permit tcp any interface outside eq 5452
    static (inside,outside) tcp interface 5452 3389 netmask 0 0

    Can I have both NAT and PAT activate on PIX501 6.3 firewall and if so How?


    Author Comment

    Building configuration...
    : Saved
    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname pixfirewalltest
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    object-group service RmDskTp tcp
      description Remote Desk Top
      port-object range 3389 3389
    object-group service Port5451http tcp
      description Http Port 5451
      port-object range 5451 5451
    access-list outside_access_in permit tcp any interface outside eq 5452
    access-list outside_access_in permit tcp any interface outside eq 5455
    access-list outside_access_in permit tcp any interface outside eq 5451
    access-list nonat permit ip
    pager lines 24
    mtu outside 1500
    mtu inside 1500

    !--- Verizon DSL (Static)
    ip address outside

    !--- Verizon DSL (Dymanic)
    NO ip address outside pppoe setroute

    !--- Company Server
    NO ip address outside dhcp setroute

    ip address inside
    ip audit info action alarm
    ip audit attack action alarm
    pdm location outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (inside) 130200
    nat (inside) 1 0 0
    static (inside,outside) tcp interface 5452 3389 netmask 0 0
    static (inside,outside) tcp 5451 www netmask 0 0
    static (inside,outside) tcp 5455 www netmask 0 0
    access-group outside_access_in in interface outside
    timeout xlate 1:00:00
    timeout conn 0:33:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http outside
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public%d
    no snmp-server enable traps
    no floodguard enable
    crypto map mymap 10 ipsec-isakmp
    isakmp policy 10 authentication rsa-sig
    isakmp policy 10 encryption des
    isakmp policy 10 hash sha
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 86400
    telnet outside
    telnet timeout 5
    ssh timeout 60
    console timeout 0
    vpdn group pppoe_group request dialout pppoe
    vpdn group pppoe_group localname xyz
    vpdn group pppoe_group ppp authentication pap
    vpdn username xyz password ********* store-local
    dhcpd address inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    LVL 36

    Accepted Solution

    For internal machines accessing the Internet the difference between NAT and PAT is whether you put a single IP address or a range of IP addresses in the 'global' command.

    Completely separately you can also use the 'static' command to allow incoming connections to the servers via PAT/NAT. If you don't specify ports in the static command then everything is translated so it is effectivly NAT. If one external IP address is used like this then you cannot specify the same external address with any other 'static' command.

    Do you have a single fixed IP address for your DSL connection?
    If you do then you can only really use PAT.
    If you have multiple external IP addresses then you can use a combination.

    Author Comment


    Good enough. Thanks. Let me see if I understood right that my above Pix config is based on single public IP and utilizing both PAT and NAT for internal address translation.

    And if I get more IP addresses from ISP than I can have one public IP translated to one single Internal address for example my Server.

    global (outside) 2 interface
    global (inside) 130200
    nat (inside) 1 0 0
    static (inside,outside) tcp interface 5452 3389 netmask 0 0

    !--- Verizon DSL (Static)
    ip address outside
    ip address outside (Additional IP)

    static (inside,outside) tcp netmask 0 0


    Author Comment

    Please if you have time check my other question.
    LVL 36

    Expert Comment

    These commands will translate all outbound traffic for machines without a fixed NAT translation using PAT to the external IP address of the PIX:-
    ip address outside
    global (outside) 2 interface
    nat (inside) 1 0 0

    You don't need this:-
    global (inside) 130200

    To add additional NAT entries you just use a 'static' command and don't put additional 'ip address' commands for example:-
    static (inside,outside) netmask 0 0
    Note there is no 'tcp' parameter since you are defining NAT. If you were defining a static PAT entry you would have the protocol and ports listed aswell.


    Author Comment

    Thanks grblades

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    913 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now