How to do NAT and PAT on Cisco 515?

I am setting up a Cisco PIX 515 firewall that has an outside interface address of and an inside interface address of  I also have webserver with address of  This pix's firmware is Cisco PIX Security Appliance Software Version 7.2(4)  and Device Manager Version 5.2(4).  It is configured to use PAT and the outside interfaces address for all of the inside interface lan traffic accessing the internet.  Using the PDM, how would I setup a NAT rule so that I can access my website using as my outside interface ip and have it translate to accessing the webserver?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Try this:

static (inside,outside) tcp interface 80 80 netmask
access-list web_traffic permit tcp any interface outside eq 80
access-group web_traffic in interface outside

This is assuming that you don't already have an ACL applied to the outside interface.  If that doesn't work then try this:

static (inside,outside) tcp 80 80 netmask
access-list web_traffic permit tcp any host eq 80
access-group web_traffic in interface outside
AFLLCAuthor Commented:
Wouldn't that just port forward port 80 to  I need it to use a second ip of
Sorry, I read that wrong in your post:

static (inside,outside) netmask <-- 1-to1 NAT
access-list web_traffic permit tcp any host eq 80 <-- allow traffic
access-group web_traffic in interface outside <-- Apply to interface

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AFLLCAuthor Commented:
It doesn't seem to be working for me.  Can you take a look at the whole config to see if I did something wrong?  I don't have the same named access-group as you have specified so I had it applied to the  outside_access_in.

rcs-fw-colo# show running-config 
: Saved
PIX Version 7.2(4) 
hostname test1
domain-name test.local
enable password XXXXXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
interface Ethernet0
 nameif outside
 security-level 0
 ip address 
interface Ethernet1
 nameif inside
 security-level 100
 ip address 
interface Ethernet2
 no nameif
 no security-level
 no ip address
interface Ethernet3
 no nameif
 no security-level
 no ip address
interface Ethernet4
 no nameif
 no security-level
 no ip address
interface Ethernet5
 no nameif
 no security-level
 no ip address
ftp mode passive
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any host eq www 
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101
static (inside,outside) netmask 
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
service-policy global_policy global
prompt hostname context 
: end

Open in new window

AFLLCAuthor Commented:
nevermind, it works.  thank, you.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.