PIX version 6.3 NAT and PAT

Unanswered Question
Feb 22nd, 2007

Hi Firewall Gurus,

I'm just a bit confused with the NAT and PAT capabilities of a PIX firewall. For example I have this configuration:

global (outside) 2 210.*.*.49- netmask

global (outside) 2 202.*.*.34

nat (inside) 2 0 0

1. Why do I still have to include the subnet mask in the global command?

2. What will happen to this kind of configuration?

3. Will it a NAT or PAT and what CLI command will specify if it is NAT or PAT?

4. What if I want to have a one-to-one dynamic translation? What config should I do?

Here's what I have in mind, the first 7 workstation from subnet will NAT to then the succeding workstations will PAT to these IP address range. Please correct me if I'm wrong.

Because we have clients that use VPN client that needs one-to-one public IP translation and should not be port address translated. All of these are dynamic NAT and PAT.

Another question.

How does the PIX firewall interpret a nat (inside) access-list command?

What if I have this configuration:

global (outside) 2

global (outside) 3

nat (inside) 2 access-list 2

nat (inside) 3 access-list 3

access-list 2 permit ip any host

access-list 2 permit ip any host

access-list 3 permit ip any any

Is this going to be read in parallel? I mean if the destination IP is and, i always wanted to translate it to not Because access-list 3 will also satisfy the condition which is "any any".

Sorry for so many questions but I just want to clarify everything.

Thank you very much.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (5 ratings)
scheikhnajib Thu, 02/22/2007 - 05:44


1. I'm not sure

2. Your assumption is correct. the NAT will be served on first come first serve basis so the first 7 addresses will be NAT'ed and the rest will be PAT'ed

3. It's always a NAT command but when the corresponding GLOBAL command contains a single IP then the PIX will know that this is a PAT.

4. Use the STATIC command and have your private range followed by the public range.

What do you mean by: "Because we have clients that use VPN client that needs one-to-one public IP translation and should not be port address translated. All of these are dynamic NAT and PAT" ... do you have clients on the isnide who wants to connect to another VPN concentrator or do you have clients who wants to connect to this PIX? If it's the first option then they can use PAT, if it's the second option then I didnt get your point.

As for your NAT example:

All IP connections to and will get the when they get out of the PIX and all other connections will get the address. All you need to do is adding to deny statements to ACL3 before your permit any statement like:

access-list 3 deny ip any host

access-list 3 deny ip any host

access-list 3 permit ip any any

Hope this was helpful.


John Patrick Lopez Thu, 02/22/2007 - 06:00

This is very helpful! Thanks for the quick reply.

What I mean in the VPN situation is that, we have internal employees who needs access to an outside VPN concentrator (not in our control) and needs a one-to-one dynamic translation. There VPN connection won't work if it is Port Address Translated.

About number 4, I thought you will use the Static command if you want a one to one static translation? But what if I want a one-to-one dynamic translation? Thanks a lot. =)

scheikhnajib Thu, 02/22/2007 - 06:18

The VPN should work and I know that for a fact since I did that many times. Simply, whenver you are behind a home router and using a VPN client you will be PAT'ed so its a normal thing ... you need to re-visit your config maybe.

I don't know what are you after with the 1-2-1 dynamic translation but if you have a NAT/GLOBAL combo with the same number of IP's in each you will have a dynamic 1-2-1 NAT ... is this your case?! STATIC will map the addresses horizontally and will not allocate randomly.

Thoughts ?!



John Patrick Lopez Thu, 02/22/2007 - 08:14

Now I get it. If I use a NAT/Global combo with the same number of IPs then I can have the 1-2-1 NAT. What I really meant here is that, for example:

vpn client 1 connects, then he will be translated to 1 public IP. then vpn client 2 connects, he will be given another public IP different from the first one. And so on... End-to-end (from client pc to vpn concentrator), the source port of the vpn client will not be replaced by the PIX firewall.

Because there are some VPN server that responds to a different port when a vpn client connects. For example, when a client connects to VPN server with a destination port of 123 with a source port of 456, then the concentrator will respond to the client with a destination port of 789 and source port of 123. With this kind of vpn server, the PIX firewall will not be able to determine the connection of the vpn client because the server responded to a different port number. That's why we have configurations that doesn't Port Address Translate but only NAT.

Back from our example, the first 7 IP address will be Network Address Translated, which means, the source port of the workstation will not be replaced by the PIX. But if there's another client who tries to browse the internet for example then that client will be Port Address Translated.

Sorry for consuming too much of your time but you really help me a lot. =)

Another thing, you mentioned earlier that I should just put a deny statement in my access-list to prevent it from being translated to that global IP and instead use the other access-list with a more specific destination. Don't you think that it will be rejected in translation (like nat (inside) 0) because of the deny statement?

Another one.

Is translation being read in parallel?

global (outside) 3

global (outside) 4

nat (inside) 3

nat (inside) 4

to which public IP will the translate? To the more specific one which is global 4? The number of the identifier doesn't mean which one to be prioritize right?

Sorry for asking too many questions.

abinjola Thu, 02/22/2007 - 08:50 would be translated to because of the nat identifier 4

The nat identifier 4 would get translated to corresponding matching identifer of global statement 4

John Patrick Lopez Thu, 03/01/2007 - 08:40

Ei guys, im back!

The access-list in NAT didn't work even if it is more specific.

Here's my configuration.

global (outside) 1

global (outside) 2

nat (inside) 1 access-list 1

nat (inside) 2 access-list 2

access-list 1 deny ip host any

access-list 1 permit ip any any

access-list 2 permit ip host any

I want all workstations to translate to except for I want to translate as But when I issued show xlate, it still shows that is translated to

I issued show access-list 1 and I can see that the line with the deny statement is being hit because the hit count increments. When I issued show access-list 2, that one line is not being hit. But still, is being translated to =(


This Discussion