Map public to private ip address ?

ikhmer used Ask the Experts™
Dear all,

Please see below connection. I want to map one public ip in pix to internal ip of one server which is not under subnet of Router 1.
Is it possible to do ? without add route back to public ip in R2 and R1?


r1: is the default gw router of
r2: is the default gw router of
server--> is the ip address of target server in ranges
pix: have public ip and the other end connect to network

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Pete LongTechnical Consultant

The Pix cannot route however you can
route inside0.0.0.0  (note this assumes that R1 knows to route traffic to R2)

static (inside,outside) {public IP) netmask

first make sure you can ping server-->pix and vice versa

if no, do tracert pix_IP and find the path and add necessary route in R1 and R2 inorder to reach pix

route inside interface_IP 1
 (if you dont get ping reply from PIX-->server)

Static NAT:

static (inside,outside) public_IP netmask 0 0


Between R1 & R2 can reach to inside interface of pix (internal ip) , but from Internet user can not communicate with target server.  And from R2 or server , i could not ping to public ip either.

I don't think we should add route back from R1, R2 to public ip to avoid of security!

Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

ok, thats fine. you need to add static NAT and try ping from internet.

hope you are able to "ping inside" from pix console and gets reply.


I'm not very clear.
Let say is my public ip which will map to  when someone connect to this public ip i want it forward to

So, do yo mean to this public to private ip ? how can it map and allow internet user to access resource of and this server is behind two routers .

pls help to give me a clear idea.
static (inside,outside) netmask 0 0

NAT translation table will be maintained by PIX , no need to worry

you need to make sure you can reach server from pix console.

ping inside  should be successful

additional, if you need to expose any of the service of server (like web, etc) you need to add access-list and allow it in access-group.

sh run | incl access-group --> output will show if any access-list is applied on outside interface. then add access-list onto it with allow to particular service

example: access-list out_acc permit tcp any host eq 80


Thank for your quick support!

from pix it can talk to without any problem, but still could not access from outsite to this server by using above public ip...

From that server, i trace back to public ip for testing and found that it could not pass R2.



im afraid it is because of this server is not in same subnet of internal pix interface.
pix internal belong to subnet , server is under

please execute sh run | incl route

route inside interface_IP 1

the above line will help your PIX to understand it needs to route inside

this info is available in pix else you cannot ping server from pix console

please trace from outside network. from inside it wont work(-->From that server, i trace back to public ip for testing and found that it could not pass R2.!)

is that public IP the real one? if so, i could reach till

10   220 ms   221 ms   233 ms
11   211 ms   210 ms   212 ms
12   221 ms   239 ms   237 ms
13   266 ms   243 ms   249 ms
14   256 ms   252 ms   272 ms
15   270 ms   257 ms   252 ms
16   274 ms   251 ms   246 ms
17   278 ms   281 ms   289 ms
18   252 ms   273 ms   245 ms


Thank you! by the way that is not the real ip

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial