[Webinar] Streamline your web hosting managementRegister Today


How to do NAT and PAT on Cisco 515?

Posted on 2010-03-30
Medium Priority
Last Modified: 2012-08-14
I am setting up a Cisco PIX 515 firewall that has an outside interface address of and an inside interface address of  I also have webserver with address of  This pix's firmware is Cisco PIX Security Appliance Software Version 7.2(4)  and Device Manager Version 5.2(4).  It is configured to use PAT and the outside interfaces address for all of the inside interface lan traffic accessing the internet.  Using the PDM, how would I setup a NAT rule so that I can access my website using as my outside interface ip and have it translate to accessing the webserver?
Question by:AFLLC
  • 3
  • 2
LVL 10

Expert Comment

ID: 29117445
Try this:

static (inside,outside) tcp interface 80 80 netmask
access-list web_traffic permit tcp any interface outside eq 80
access-group web_traffic in interface outside

This is assuming that you don't already have an ACL applied to the outside interface.  If that doesn't work then try this:

static (inside,outside) tcp 80 80 netmask
access-list web_traffic permit tcp any host eq 80
access-group web_traffic in interface outside

Author Comment

ID: 29118023
Wouldn't that just port forward port 80 to  I need it to use a second ip of
LVL 10

Accepted Solution

qbakies earned 1000 total points
ID: 29118506
Sorry, I read that wrong in your post:

static (inside,outside) netmask <-- 1-to1 NAT
access-list web_traffic permit tcp any host eq 80 <-- allow traffic
access-group web_traffic in interface outside <-- Apply to interface

Author Comment

ID: 29132306
It doesn't seem to be working for me.  Can you take a look at the whole config to see if I did something wrong?  I don't have the same named access-group as you have specified so I had it applied to the  outside_access_in.

rcs-fw-colo# show running-config 
: Saved
PIX Version 7.2(4) 
hostname test1
domain-name test.local
enable password XXXXXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
interface Ethernet0
 nameif outside
 security-level 0
 ip address 
interface Ethernet1
 nameif inside
 security-level 100
 ip address 
interface Ethernet2
 no nameif
 no security-level
 no ip address
interface Ethernet3
 no nameif
 no security-level
 no ip address
interface Ethernet4
 no nameif
 no security-level
 no ip address
interface Ethernet5
 no nameif
 no security-level
 no ip address
ftp mode passive
dns server-group DefaultDNS
 domain-name rewardcardsolutions.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any host eq www 
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101
static (inside,outside) netmask 
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
service-policy global_policy global
prompt hostname context 
: end

Open in new window


Author Comment

ID: 29135160
nevermind, it works.  thank, you.

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Just after setting up Cloud PBX connectivity and migrated Skype users to SFBO, we noticed inbound calls not working but outbound calls would work.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question