Static NAT PIX

Posted on 2006-06-08
Medium Priority
Last Modified: 2010-04-09
I need to do a static NAT for public ip to a private ip on my network.  The firewall wan is and i have an additional  Private ip =

I need to do PAT for the outside interface so that certain port request on are PATed back to different devices on the inside and also have translate to on a one to one basis.

Can someone provided a sample including access-list please?
Question by:andreacadia
  • 2
  • 2

Accepted Solution

stressedout2004 earned 2000 total points
ID: 16866974

1) For  PAT, you need the following:

global (outside) 1 interface
nat (inside) 1

These two commands will allow any host on the internal network that doesn't have a static one is to one natting to use the firewall's WAN IP if they need to go to anywhere outside the network. By default, all outbound traffic is allowed so you don't need to add access-list to allow traffic originating from the inside network back in.

2) For the static one is to one, you need:

static (inside, outside) netmask
access-list acl_out permit tcp any host eq 25
access-list acl_out permit udp any host eq domain
access-list acl_out permit tcp any host eq www
access-group acl_out in interface outside

The 1st command above statically assigns to The next three are access-rules that allows users from the internet to connect to on port 25, 53 and 80. You will need to modify the rule to suit your needs, the syntax would be the same. The last command applies the access-rule acl_out to the outside interface. You need to apply the access-rules on an interface for it to take effect on this case.

Author Comment

ID: 16867015
how about if i just did this:

access-list acl_out permit ip any host


Expert Comment

ID: 16867107
That's fine, however it is not recommended. By doing that, you are opening all ports to the internet on that host.

Author Comment

ID: 16867171
now does this necessarily mean that all traffic will exit sourced as the natted public ip in this case?
LVL 79

Expert Comment

ID: 16869686
If you have a static 1-1 nat then yes, that host will exit sourced as the natted public.

Featured Post

Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question