Configure PIX 506E from using multiple static IPs to single static IP

Posted on 2007-10-11
Last Modified: 2012-05-05
Our PIX 506E is currently configured to NAT using a range of static IPs provided by our ISP.  I have one static route for our Exchange server.  As I now understand it I should be able to NAT the LAN through a single static IP, but I confess I'm someone who has learned this stuff from the middle out and whose eyes often glaze over when trying to get the fundamentals (i.e. reading the Command Reference).  Basically, what I'm trying to avoid is using PAT because the Cisco documentation warned that it would break certain media protocols and we deal heavily in the creation of various media file types.  So using NAT exclusively seemed the safest way to go.

So, this is one you folks can answer blindfolded, I'm sure.  Help and enlightenment is appreciated.  

Here's the current relevant statements from the config.  Thanks.

global (outside) 1 xx.yyy.zzz.41-xx.yyy.zzz.62 netmask
nat (inside) 1 0 0
static (inside,outside) xx.yyy.zzz.35 netmask 0 0
Question by:pierc2
    LVL 11

    Expert Comment

    pierc2, NAT using a single IP = PAT.

    Media protocol and media files is totaly different thing. You can send mp3 file on CD using ground mail, you can email it, you can send it over HTTP/FTP, you can transfer it using MS SMB/CIFS protocols or you can stream it using RTP/RTCP. All this different network (or not network) protocols will allow you to move the same media file from one place to another. And this different protocols can or cannot tolerate PAT. Mailed CD doesnt care about your network at all :)
    LVL 5

    Expert Comment

    Are you asking how to use a single IP as your global nat address rather than a range?

    If so you can use

    global (outside) 1 xx.yyy.zzz.41 netmask


    global (outside) 1 interface

    if you want to use the IP address of your outside interface

    note: this will not effect the address users connect to your exchange server with


    Author Comment

    tvman od:
    I knew I was going to get an answer highlighting my ignorance of NAT/PAT.  

    I am aware of the distinction between media files and protocols.  I should have left off the words "file types."  

    From ciscopress Cisco Secure PIX Firewalls:  "Do not use PAT when running multimedia applications through the PIX firewall.  Multimedia applications may need to access specific ports and can conflict with port mappings provided by PAT."  

    So, off hand can you advise as to exactly which protocols aren't going to work with PAT?  

    Also, can I infer from your response that true NAT involves using static IPs equal in number to the internal IPs going through the firewall, otherwise some level of PAT is happening?

    Author Comment


    Yes, I guess I am.  Thanks.  But for clarification, at that point it looks like I am really doing PAT, as per 'tvman od', so I just need to do some more homework and make sure nothing potentially important could get broken.  At the core of this question is a potential ISP switch.  The new provider would allot me a max of 5 static IPs so I guess I could reserve one for Exchange, one for the router, and NAT the other 3.  When the local addresses needing to translate exceed 3 then the PATing begins, right?

    I'm realize I'm probably being over cautious about PAT.  A little knowledge is a dangerous thing, eh?  As I said, I need to do more homework.

    Author Comment

    Correction....Of the 3 non-routed static IPs I would create a range from 2 (yes, not much of a range) and then create an additional global statement for the third that would be the PAT address.
    LVL 5

    Accepted Solution

    NAT is Network address translation, this means translating an IP address to a different ip address.
    PAT is Port address translation, When ever you use NAT you are inherently using PAT because the port you are recieving info on with your public ip address is translated to the same port on your server or workstatation's local address. It is nothing to be afraid of. It is time tested.

    What you want to be carefull of and you are probably reading is bad is something like

    static (inside, outside) tcp xx.yyy.zzz.41 1199 25 netmask 0 0

    which would take requests sent to your public address on port 1199 and forward them to your server - port 35, This is specifing PAT directly and is bad if you dont know what you are doing. Often you will see things like

    static (inside, outside) tcp outside 25 25 netmask 0 0

    So that people can use thier outside interface IP to send only port 25 to thier exchange server and leave the other ports open for normal NATing.

    In any event you do not need a public IP for every private IP, that sort of defeats the benifits of NATing which is to convert many privite IP addresses to few or one public IP address, your config of one public ip for the router, one for the echange server, and one ip for everything else is perfectly acceptable.
    LVL 11

    Assisted Solution

    Protocols which carrie address information inside the payload have problems with NAT/PAT. Typical example is VoIP protocols like SIP/H.323. Signaling SIP messages have information about media addressing, in other words which address/port to send UDP/RTP stream and when endpoint is behind NAT/PAT this information will be incorrect and nothing will work. Most of the SIP devices/applications will detect this situation and use special technics for NAT traversal like STUN. Another example RTP/RTCP over UDP audio/video streaming. The same story, client will send a request with information where it will expect a stream address and port, but it's different from signaling, so classic NAT/PAT will drop packets which don't match any existing translation in the router.
    LVL 32

    Assisted Solution

    If you're having considerable amount of connection going out as of now,you're already doing PAT, now whether you have 5 free IPs or 10 doesn't really matter here.

    If you could explain what specific media are we talking here, we'd be able to tell you if Cisco has a fix for it on NAT-T.


    Author Comment

    Folks, this is fantastic clarification.  Much more so than I've gotten from any documentation.  I think I'm cool now.  Many thanks for the help!

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    Suggested Solutions

    In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
    Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    This video discusses moving either the default database or any database to a new volume.

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now