Unanswered Question
Apr 20th, 2007
User Badges:

I have a PIX 515-E firewall which is giving me problem.

Inside our private network, we have a local host - behind my inside interface, called it HOST-A, IP

From Internet, we have assigned 2 Public IP, both pointing to (NAT to) HOST-A, serving 2 different purpose

- One public IP : to serve HTTP traffic

- Another public IP : to serve POP-3 traffic.

I had used dynamic IP pool so that both Public IP is NAT to the same private -, at my outside interface.

However, I found that I need to create another NAT at my inside interface, ie NAT to

However, I also found that I cannot create another NAT rules for to NAT to

As such, our POP-3 traffic become not accessible.

Is it a limitation in PIX firewall ???

My PIX detail:

sh version

Cisco PIX Security Appliance Software Version 7.2(2)

Device Manager Version 5.2(2)

Config detail:

name IP-HTTP

name IP-POP

name HOST-A

access-list outside_access_in extended permit tcp any host IP-HTTP object-group WEB-SERVICES

access-list outside_access_in extended permit tcp any host IP-POP object-group TCP-POP3-IMAP

global (inside) 1 HOST-A netmask

nat (outside) 1 IP-HTTP outside

nat (outside) 1 IP-POP outside

static (inside,outside) IP-HTTP HOST-A netmask

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mahmoodmkl Fri, 04/20/2007 - 23:53
User Badges:
  • Gold, 750 points or more


I think u dnot need to nat statements as u r doing for the same IP.and u need to create a statement in access list not a seprate access-list.

try this config .

static(inside,outside) (global ip) (private ip) netamsk

access-list outside_in permit tcp any host (gobal ip) eq 80

access-list outside_in permit tcp any host (global ip) eq pop(u r pop3 port number.

and u need to apply it inbound to u r outside interface.

See if it works.



limlayhin Sun, 04/22/2007 - 20:20
User Badges:

Manage to solve the problem with following configuration:

global (outside) 1

static (inside,outside) tcp www www netmask

static (inside,outside) tcp pop3 pop3 netmask


This Discussion