We help IT Professionals succeed at work.


henryk123 asked
Medium Priority
Last Modified: 2013-11-16
I have question:
Is possible configure on PIX 506E PAT and NAT together ?
My problem
I have connection from my local network to internet by PIX 506E (PAT dynamic on external interface)
I need add connection from internet to dedicated computer in my local network thru PIX.
I configured translation 1-1 outside ip 209.xx.xx.xx to inside 192.168.xx.xx and I forwarded port
But, doesn't work.
I can't use telnet to this computer and port.
Maybe I have to add global NAT for this outside IP.
Watch Question

Sr. Systems Engineer
Top Expert 2008
If you only get 1 public IP address then you cannot do both a 1-1 nat and PAT for other outbound traffic.
You can simply use static port-forwarding, with corresponding acl.
For example - you have a web server and an email server:

static (inside,outside) tcp interface http http netmask
static (inside,outside) tcp interface smtp smtp netmask
access-list outside_ in permit tcp any interface outside eq http
access-list outside_ in permit tcp any interface outside eq smtp
access-group outside_in in interface outside

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


I have 5 public IP adresses.
I need only add rule with nat  from one external IP to one internal IP and I need don't change exists PAT configuartion
I'm new in firewall, so maybe is very easy but I can't do that.
Les MooreSr. Systems Engineer
Top Expert 2008

global (outside) 1 interface
nat (inside) 1 0 0 0
static (inside,outside) 209.x.x.x netmask

As long as 209.x.x.x is not the same IP as the one assigned to the outside interface, this will work just fine - assuming that you also have the proper acl applied.


Building configuration...
: Saved
hello again:
one more thing:
1.When I put  "global (outside) 1 interface I have" from telnet console I have:
type ? for display all optiona, something wrong
2.After nat (inside) 1 0 0 0 - NAT entry dupilicated
Below is my configuration:
Can you look ?
thx henry

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Ukmo5i.XUVFUnPym encrypted
passwd vfwNtDb5h6RVFg72 encrypted
hostname xxx-pix
domain-name xxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
name XX.xx.xx.xx Router
name test2
access-list acl_out permit ip any any
pager lines 24
logging trap debugging
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 209.xx.xx.xx 255.xx.xx.xx
ip address inside 192.168.xx.xx
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.xx.xx inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
access-group acl_out in interface inside
route outside Router 1
route inside test2 192.168.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.xx.xx inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
service resetoutside
telnet inside
telnet timeout 5
ssh timeout 5
terminal width 80
: end

Les MooreSr. Systems Engineer
Top Expert 2008

>PIX Version 6.1(4)
OK. This old version does not support the "interface" keyword

 global (outside) 1 209.x.x.x  <= same IP as outside interface
 static (inside,outside) 209.x.x.y 192.168.X.Y  <== not same as either outside or inside interface IP

>access-list acl_out permit ip any any
>access-group acl_out in interface inside
You really don't want to do this. It sort of defeats the whole purpose for having a firewall.



What is another way to establish this connection ?
Upgrade this firewal or I don't  know (add one more interface for this firewall if possible) ?
Configure VPN ?
Is possible configure VPN on this firewall ?

In my company I have also ISA 2004 firewall, but now is not connected.
In the future I'll connect these two firewalls (PIX and ISA) together in back-to-back configuration.
How you think ? It is good idea connect these firewalls together or better is connect only ISA 2004 firewall as edge firewall ?
Les MooreSr. Systems Engineer
Top Expert 2008

>What is another way to establish this connection
You have not exactly spelled out what this connection is supposed to do/be.

You said that you have more than 1 IP address to use. Then you can do just as I demonstrated above using 1 IP for the interface/global and another one for the 1-1 NAT.
You just have to adjust the acl. If you must permit all ip to this one host, through nat, then adjust the acl like this (although I still wouldn't recommend it):
access-list ouside_in permit ip any host 209.x.x.y
access-group otuside_in in interface outside

Else, yes, you can create a client VPN scenario to this PIX, VPN in from the client, then have full wonderful -secure- access to the internal server.

I would, however, suggest upgrading 6.1(4) to the latest 6.3(5) before doing that.
As far as utilizing both the PIX and the ISA, I would never use any system running MS Windows that has to be patched often and unfailingly, without time to test out the patches, and rebooted often as my edge firewall. The PIX is absolutely the better Edge firewall. Use the ISA as a one-legged cache-only proxy to control user outbound access, provide reports, and enhance user experience.
I see no viable reason to connect these two firewalls back-back


I try configure what you recommend.
VPN on cisco firewall + ISA as proxy inside my network
Maybe you have link to latest cisco software ?
Is this upgrade safe or I have to expect suprises ?
Les MooreSr. Systems Engineer
Top Expert 2008

You'll have to have CCO account login to get the upgrade
The upgrade is safe and painless and "fixes" a lot of things. If you also get the PDM3.04 that goes with it, it wraps a nice Java based GUI around it with VPN wizards that make it a snap to configure VPN's.



See'ya next time. I'm sure.:)


Hello again,
I have one more question about ISA 2004 server.
I have Isa installed on win2003 server.
If I want configure ISA as proxy server and machine to control  internet access (for inside network, control users (for example) access to internet only in "lunch time" what I need ? Custom scenerio ?
When I check templates on ISA i have option to choose:
1. Edge Firewall
2. 3-Leg Perimeter
3.Front Friewall
4.Back Firewall
5. Single Network Adapter
If I choose option "5"  I'll can configure proxy server but probably I won't can install "firewall clients"
How can I manage internet access on loclal computers from ISA ?
Les MooreSr. Systems Engineer
Top Expert 2008

You set the ISA with Single Adapter - in cache only mode.
Set the PIX to only allow the ISA's IP address out to www
Set the client's IE to use a proxy setting. This can be set in Domain policies, or through DHCP.
No firewall client needed.
ISA can control who gets out and when.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.