• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 341
  • Last Modified:

Static NAT on PIX 520 with IOS 4.4(7)

I have an older ios release that I'm messing around with at home because I can't learn on the equipment at work.  
Here's how my network settings are with a direct connection to my ISP, so this would be the outside interface:
ip address range: -

How can I setup static NAT between the ouside interface, which will reflect the settings above, and the inside hosts on my network on let's say

Thank you.
  • 5
  • 4
1 Solution
PIX v4.4 ?!  My, that's ancient!
  What you're describing above actually isn't static NAT, just dynamic NAT...  If you're trying to NAT the 192.168.1.x to the pool of IPs: - .254, & you're manually setting the PIX's gateway & outside IP, see below:

ip address inside  <- or whatever your inside IP is going to be
ip address outside  <- or whatever your outside IP is going to be
route outside 0 0
nat (inside) 1 0 0
global (outside) 1

  Here's the PIX 4.4 config guide (especially the command ref):

sipscottAuthor Commented:
Oh man, that's exactly what I've been trying all night!  I can ping each interface, but data won't flow through the inside interface to any hosts on the outside or vice versa.  Here's how my network is setup, try not to laugh!  I have my computer connected directly to the inside interface of the PIX with a crossover cable.  The outside interface of the PIX is connected to a wireless bridge (Buffalo WLI-TX4-G54HP).  Which connects up to my wireless ISP about 5 miles away.  They are using a microtik router with an IP address of it's running DHCP, and has its own static 1 to 1 mapping.  I can ping from the outide interface on my PIX to various hosts on the wireless network: other access points and gateways.  I can also ping from the inside interface to various hosts on my home network.  I cannot ping through either interface, and I'm begining to wonder if I may have screwed something up.  I'll include a copy of my config:

PIX Version 4.4(7)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
pager lines 24
logging on
no logging timestamp
no logging console
no logging monitor
no logging buffered
no logging trap
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
failover timeout 0:00:00
failover ip address outside
failover ip address inside
arp timeout 14400
global (outside) 1
nat (inside) 1 0 0
conduit permit icmp any any
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
route outside 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet timeout 5
terminal width 80
sipscottAuthor Commented:
this question must be tougher than I thought.  I have experience setting up a similar config on a PIX with v6, but as was mentioned earlier 4.4 is rather old!
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Do you have any potential to bring the PIX OS to a more current level ( at least the 6.x ) level?

4.x is ancient and doesnt even support alot of the functionality of the newer versions.
1)  First off, have you checked with your ISP on the IP settings?  I rather doubt they're giving you the entire range of 254 IPs to use (
2)  I checked the Command Reference for 4.4 (in the URL above), & it doesn't appear to support DHCP for the "ip address" command, unlike PIX 5.2 & above (ie, 'ip address dhcp setroute').  So, looks like you'd have to have a static IP given to you by your ISP if running v4.4 code.
3) Did you poweroff the wireless bridge before connecting your PIX, then reboot the wireless bridge?  
4)  Have you manually cleared the NAT table?  -->  clear xlate

Just to keep things simple, I'd disable failover on this:
  no failover
And verify this with "show failover", what you want to see is:
 Failover Off

  Assuming you clear up any IP addressing problems with your ISP, they may have to clear their ARP cache on their end.  Once you're sure about IP settings, save the config then reboot the PIX.

sipscottAuthor Commented:
Getting a static IP was no problem, I've got about 220 unused addresses to pick from.  (I work for the ISP)  I also have failover disabled.  The PIX communicates on the wireless flawlessly, I can ping from the outside to anywhere including www.google.com.  The problem appears to be all in NAT.

Here's the diagnosis:

pixfirewall(config)# ping outside response received -- 70ms response received -- 60ms response received -- 70ms
pixfirewall(config)# ping outside response received -- 10ms response received -- 0ms response received -- 0ms
pixfirewall(config)# ping inside response received -- 0ms response received -- 0ms response received -- 0ms

****From my workstation*****
Ethernet adapter Local Area Connection 4:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . :
        Subnet Mask . . . . . . . . . . . :
        Default Gateway . . . . . . . . . :

C:\Documents and Settings\Scott>ping

Pinging with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

C:\Documents and Settings\Scott>ping

Pinging with 32 bytes of data:

Reply from bytes=32 time<1ms TTL=255
Reply from bytes=32 time<1ms TTL=255
Reply from bytes=32 time<1ms TTL=255
Reply from bytes=32 time<1ms TTL=255

Ping statistics for
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
> I've got about 220 unused addresses to pick from.  (I work for the ISP)
  Lucky you!  I could you my own Class C to play with...  ;)

What's the output of "show ver"?
And what's the output of "show xlate" immediately after trying to ping from your workstation?  Do you get any entries for your PC's IP?

Have you also tried doing PAT on the outside interface IP?  eg:
no global (outside) 1
no nat (inside) 1 0 0
global (outside) 1 netmask  <- if it works, run similar steps but try instead
nat (inside) 1 0 0
clear xlate

Are you absolutely sure the subnet mask is correct for the outside interface?

sipscottAuthor Commented:
pixfirewall(config)# sho ver

PIX Version 4.4(7)
Compiled on Mon 02-Oct-00 07:07 by pixbuild
Finesse Bios V3.3

pixfirewall up 13 mins 0 secs

Hardware:   SE440BX2, 128 MB RAM, CPU Pentium II 449 MHz
Flash atmel @ base 0x300
0: ethernet0: address is 00a0.c957.d76e, irq 11
1: ethernet1: address is 00a0.c9b2.5ec7, irq 9

Licensed Options:
Failover:       Enabled
IPSec:          Enabled
Ports allowed:  6
I can't do this with 4.4:

pixfirewall(config)# global (outside) 1 netmask
Start and end addresses overlap with outside interface address
**** WARNING ***
        Configuration Replication is NOT performed from Standby unit to Active unit.
        Configurations are no longer synchronized.

**I went ahead and used for PAT instead, still doesn't work.  I took a look on the microtik config and I'm positive my ISP uses a class C subnet mask for  Question is does this work in 4.4?  I can still ping from the outside and from my isp back to the outside on the pix.  Could it be screwing something up within NAT?

sipscottAuthor Commented:
show xlate:
no entries are made after ping from my workstation.
>I can't do this with 4.4:
>pixfirewall(config)# global (outside) 1 netmask
  Yeah, confirmed that this was first allowed in 5.2(1)  (via "interface" keyword of course, like nowadays).

  Have you also tried being specific about what you're trying to NAT?  eg:
no nat (inside) 1 0 0
nat (inside) 1
clear xlate    <- make *sure* you're running this after adding/modifying 'nat' or 'global' statements!

  And for good measure:
write mem

FYI for 'global' statement:  see Usage Note #5 under the Usage Guidelines:
Apparently in 4.4 if using a pool of IPs for the global statement, you must configure reverse DNS for those IPs?!  If that's true, what the hell was Cisco thinking?! LOL
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now