Configure PIX 506E from using multiple static IPs to single static IP

Our PIX 506E is currently configured to NAT using a range of static IPs provided by our ISP.  I have one static route for our Exchange server.  As I now understand it I should be able to NAT the LAN through a single static IP, but I confess I'm someone who has learned this stuff from the middle out and whose eyes often glaze over when trying to get the fundamentals (i.e. reading the Command Reference).  Basically, what I'm trying to avoid is using PAT because the Cisco documentation warned that it would break certain media protocols and we deal heavily in the creation of various media file types.  So using NAT exclusively seemed the safest way to go.

So, this is one you folks can answer blindfolded, I'm sure.  Help and enlightenment is appreciated.  

Here's the current relevant statements from the config.  Thanks.

global (outside) 1 xx.yyy.zzz.41-xx.yyy.zzz.62 netmask
nat (inside) 1 0 0
static (inside,outside) xx.yyy.zzz.35 netmask 0 0
Who is Participating?
Darkstriker69Connect With a Mentor Commented:
NAT is Network address translation, this means translating an IP address to a different ip address.
PAT is Port address translation, When ever you use NAT you are inherently using PAT because the port you are recieving info on with your public ip address is translated to the same port on your server or workstatation's local address. It is nothing to be afraid of. It is time tested.

What you want to be carefull of and you are probably reading is bad is something like

static (inside, outside) tcp xx.yyy.zzz.41 1199 25 netmask 0 0

which would take requests sent to your public address on port 1199 and forward them to your server - port 35, This is specifing PAT directly and is bad if you dont know what you are doing. Often you will see things like

static (inside, outside) tcp outside 25 25 netmask 0 0

So that people can use thier outside interface IP to send only port 25 to thier exchange server and leave the other ports open for normal NATing.

In any event you do not need a public IP for every private IP, that sort of defeats the benifits of NATing which is to convert many privite IP addresses to few or one public IP address, your config of one public ip for the router, one for the echange server, and one ip for everything else is perfectly acceptable.
pierc2, NAT using a single IP = PAT.

Media protocol and media files is totaly different thing. You can send mp3 file on CD using ground mail, you can email it, you can send it over HTTP/FTP, you can transfer it using MS SMB/CIFS protocols or you can stream it using RTP/RTCP. All this different network (or not network) protocols will allow you to move the same media file from one place to another. And this different protocols can or cannot tolerate PAT. Mailed CD doesnt care about your network at all :)
Are you asking how to use a single IP as your global nat address rather than a range?

If so you can use

global (outside) 1 xx.yyy.zzz.41 netmask


global (outside) 1 interface

if you want to use the IP address of your outside interface

note: this will not effect the address users connect to your exchange server with

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

pierc2Author Commented:
tvman od:
I knew I was going to get an answer highlighting my ignorance of NAT/PAT.  

I am aware of the distinction between media files and protocols.  I should have left off the words "file types."  

From ciscopress Cisco Secure PIX Firewalls:  "Do not use PAT when running multimedia applications through the PIX firewall.  Multimedia applications may need to access specific ports and can conflict with port mappings provided by PAT."  

So, off hand can you advise as to exactly which protocols aren't going to work with PAT?  

Also, can I infer from your response that true NAT involves using static IPs equal in number to the internal IPs going through the firewall, otherwise some level of PAT is happening?
pierc2Author Commented:

Yes, I guess I am.  Thanks.  But for clarification, at that point it looks like I am really doing PAT, as per 'tvman od', so I just need to do some more homework and make sure nothing potentially important could get broken.  At the core of this question is a potential ISP switch.  The new provider would allot me a max of 5 static IPs so I guess I could reserve one for Exchange, one for the router, and NAT the other 3.  When the local addresses needing to translate exceed 3 then the PATing begins, right?

I'm realize I'm probably being over cautious about PAT.  A little knowledge is a dangerous thing, eh?  As I said, I need to do more homework.
pierc2Author Commented:
Correction....Of the 3 non-routed static IPs I would create a range from 2 (yes, not much of a range) and then create an additional global statement for the third that would be the PAT address.
tvman_odConnect With a Mentor Commented:
Protocols which carrie address information inside the payload have problems with NAT/PAT. Typical example is VoIP protocols like SIP/H.323. Signaling SIP messages have information about media addressing, in other words which address/port to send UDP/RTP stream and when endpoint is behind NAT/PAT this information will be incorrect and nothing will work. Most of the SIP devices/applications will detect this situation and use special technics for NAT traversal like STUN. Another example RTP/RTCP over UDP audio/video streaming. The same story, client will send a request with information where it will expect a stream address and port, but it's different from signaling, so classic NAT/PAT will drop packets which don't match any existing translation in the router.
rsivanandanConnect With a Mentor Commented:
If you're having considerable amount of connection going out as of now,you're already doing PAT, now whether you have 5 free IPs or 10 doesn't really matter here.

If you could explain what specific media are we talking here, we'd be able to tell you if Cisco has a fix for it on NAT-T.

pierc2Author Commented:
Folks, this is fantastic clarification.  Much more so than I've gotten from any documentation.  I think I'm cool now.  Many thanks for the help!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.