Basic NAT-PAT configuration question

Unanswered Question
May 23rd, 2007
User Badges:

I want to configure a PIX 501 firewall for NAT - or more accurately PAT.

I want all inside users to be able to access the Internet using their non-routable IP adresses that the PIX will translate at the perimeter.

I only have one public IP address available.

I do not have a range as shown in the example below from:

Start of example

nat (inside) 1 0 0

global (outside) 1

global (outside) 1

"Create a pool of global addresses that translated addresses use when they exit the firewall from the protected networks to the unprotected networks. The global command statement is associated with a nat command statement by the NAT ID, which in this example is 1. Because there are limited IP addresses in the pool, a PAT (Port Address Translation) global is added to handle overflow."

End of example

So, in my case, can I simply use the second global line to attain my objective?

Also, do I need to configure particular access-list entries in this case or will the PIX take care of everything automatically?

Thank you,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
srue Wed, 05/23/2007 - 09:33
User Badges:
  • Blue, 1500 points or more

best practice is the following:

nat (inside) 1 0 0

global (outside) 1 interface

you literally use the keyword 'interface' in the global command. it will use the outside interface IP, no matter what it is. you could also just use the outside IP there though. both accomplish NAT overloading / PAT.

DAVMAC111 Thu, 05/24/2007 - 05:21
User Badges:

Thanks for the answer!

Does the result look right (I'm going to test it now)?

pixfw(config)# nat (inside) 1 0 0

pixfw(config)# show nat

nat (inside) 1 0 0

pixfw(config)# global (outside) 1 interface

outside interface address added to PAT pool

pixfw(config)# show global

global (outside) 1 interface


This Discussion