[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now



Posted on 2006-10-24
Medium Priority
Last Modified: 2013-11-16
I have question:
Is possible configure on PIX 506E PAT and NAT together ?
My problem
I have connection from my local network to internet by PIX 506E (PAT dynamic on external interface)
I need add connection from internet to dedicated computer in my local network thru PIX.
I configured translation 1-1 outside ip 209.xx.xx.xx to inside 192.168.xx.xx and I forwarded port
But, doesn't work.
I can't use telnet to this computer and port.
Maybe I have to add global NAT for this outside IP.
Question by:henryk123
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
LVL 79

Accepted Solution

lrmoore earned 1000 total points
ID: 17797346
If you only get 1 public IP address then you cannot do both a 1-1 nat and PAT for other outbound traffic.
You can simply use static port-forwarding, with corresponding acl.
For example - you have a web server and an email server:

static (inside,outside) tcp interface http http netmask
static (inside,outside) tcp interface smtp smtp netmask
access-list outside_ in permit tcp any interface outside eq http
access-list outside_ in permit tcp any interface outside eq smtp
access-group outside_in in interface outside


Author Comment

ID: 17797604
I have 5 public IP adresses.
I need only add rule with nat  from one external IP to one internal IP and I need don't change exists PAT configuartion
I'm new in firewall, so maybe is very easy but I can't do that.
LVL 79

Expert Comment

ID: 17797764
global (outside) 1 interface
nat (inside) 1 0 0 0
static (inside,outside) 209.x.x.x netmask

As long as 209.x.x.x is not the same IP as the one assigned to the outside interface, this will work just fine - assuming that you also have the proper acl applied.
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal


Author Comment

ID: 17798142
Building configuration...
: Saved
hello again:
one more thing:
1.When I put  "global (outside) 1 interface I have" from telnet console I have:
type ? for display all optiona, something wrong
2.After nat (inside) 1 0 0 0 - NAT entry dupilicated
Below is my configuration:
Can you look ?
thx henry

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Ukmo5i.XUVFUnPym encrypted
passwd vfwNtDb5h6RVFg72 encrypted
hostname xxx-pix
domain-name xxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
name XX.xx.xx.xx Router
name test2
access-list acl_out permit ip any any
pager lines 24
logging trap debugging
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 209.xx.xx.xx 255.xx.xx.xx
ip address inside 192.168.xx.xx
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.xx.xx inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
access-group acl_out in interface inside
route outside Router 1
route inside test2 192.168.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.xx.xx inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
service resetoutside
telnet inside
telnet timeout 5
ssh timeout 5
terminal width 80
: end

LVL 79

Expert Comment

ID: 17798320
>PIX Version 6.1(4)
OK. This old version does not support the "interface" keyword

 global (outside) 1 209.x.x.x  <= same IP as outside interface
 static (inside,outside) 209.x.x.y 192.168.X.Y  <== not same as either outside or inside interface IP

>access-list acl_out permit ip any any
>access-group acl_out in interface inside
You really don't want to do this. It sort of defeats the whole purpose for having a firewall.


Author Comment

ID: 17798614

What is another way to establish this connection ?
Upgrade this firewal or I don't  know (add one more interface for this firewall if possible) ?
Configure VPN ?
Is possible configure VPN on this firewall ?

In my company I have also ISA 2004 firewall, but now is not connected.
In the future I'll connect these two firewalls (PIX and ISA) together in back-to-back configuration.
How you think ? It is good idea connect these firewalls together or better is connect only ISA 2004 firewall as edge firewall ?
LVL 79

Expert Comment

ID: 17798775
>What is another way to establish this connection
You have not exactly spelled out what this connection is supposed to do/be.

You said that you have more than 1 IP address to use. Then you can do just as I demonstrated above using 1 IP for the interface/global and another one for the 1-1 NAT.
You just have to adjust the acl. If you must permit all ip to this one host, through nat, then adjust the acl like this (although I still wouldn't recommend it):
access-list ouside_in permit ip any host 209.x.x.y
access-group otuside_in in interface outside

Else, yes, you can create a client VPN scenario to this PIX, VPN in from the client, then have full wonderful -secure- access to the internal server.

I would, however, suggest upgrading 6.1(4) to the latest 6.3(5) before doing that.
As far as utilizing both the PIX and the ISA, I would never use any system running MS Windows that has to be patched often and unfailingly, without time to test out the patches, and rebooted often as my edge firewall. The PIX is absolutely the better Edge firewall. Use the ISA as a one-legged cache-only proxy to control user outbound access, provide reports, and enhance user experience.
I see no viable reason to connect these two firewalls back-back


Author Comment

ID: 17798954
I try configure what you recommend.
VPN on cisco firewall + ISA as proxy inside my network
Maybe you have link to latest cisco software ?
Is this upgrade safe or I have to expect suprises ?
LVL 79

Expert Comment

ID: 17798983
You'll have to have CCO account login to get the upgrade
The upgrade is safe and painless and "fixes" a lot of things. If you also get the PDM3.04 that goes with it, it wraps a nice Java based GUI around it with VPN wizards that make it a snap to configure VPN's.

Author Comment

ID: 17799077

See'ya next time. I'm sure.:)

Author Comment

ID: 17802946
Hello again,
I have one more question about ISA 2004 server.
I have Isa installed on win2003 server.
If I want configure ISA as proxy server and machine to control  internet access (for inside network, control users (for example) access to internet only in "lunch time" what I need ? Custom scenerio ?
When I check templates on ISA i have option to choose:
1. Edge Firewall
2. 3-Leg Perimeter
3.Front Friewall
4.Back Firewall
5. Single Network Adapter
If I choose option "5"  I'll can configure proxy server but probably I won't can install "firewall clients"
How can I manage internet access on loclal computers from ISA ?
LVL 79

Expert Comment

ID: 17805053
You set the ISA with Single Adapter - in cache only mode.
Set the PIX to only allow the ISA's IP address out to www
Set the client's IE to use a proxy setting. This can be set in Domain policies, or through DHCP.
No firewall client needed.
ISA can control who gets out and when.

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question