NAT Help on Pix 515E

Unanswered Question
Jul 26th, 2007

I need some help figuring out the best way to setup a NAT on an existing setup that I inherited. I'm using a PIX 515E, Cisco PIX Security Appliance Software Version 7.1(2). Here is the config for the internal and external interfaces:

interface Ethernet0

nameif outside

security-level 0

ip address 209.x.x.242


interface Ethernet1

nameif inside

security-level 100

ip address 66.x.x.1


As you can see, I have 2 public IP ranges on the interfaces. From what I've read, a traditional NAT would have a public IP range on the external, and an internal IP range (ie, on the internal. I do not want to change the interfaces.

We do not use the to assign to any machines inside of our network, we use the What I need to do is use a network as my internal network, and NAT that through the network. Another variable to throw into this equation is that I need a number of hosts inside the network to have external access (I?m assuming a static NAT rule to map -> ? for example) such as web servers, and the rest of the hosts can overload to a single IP ( such as workstations that do not need public access.

What is the best way to achieve this setup?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mattiaseriksson Thu, 07/26/2007 - 15:06

You should change network on the inside interface to, and set up dynamic NAT using a pool of 1 ip address and use the rest of the addresses for static NAT as you described. You have to change the inside interface address in order to free the network for NAT use. You don't have to change the external address.

If you can't change the inside network you have to use an internal device as NAT gateway.

ephillips12 Thu, 07/26/2007 - 16:59

Hello mattiaseriksson,

Thanks for your reply.

So you're saying to do something like this:

interface Ethernet0

nameif outside

security-level 0

ip address


interface Ethernet1

nameif inside

security-level 100

ip address


global (outside) 1

nat (inside) 1

static (inside,outside)

static (inside,outside)

static (inside,outside)

This would allow all hosts inside the firewall with an IP in the range of to PAT over And hosts,, would have public access via,, respectively.

Is this right? Please correct me where I'm wrong.

Also, all our rules are on an extended access list named "outside_acl". Here's one line from it.

access-list outside_acl extended permit tcp any eq www


access-group outside_acl in interface outside

This will need to be unchanged, correct? I'm thinking since it's applied to outside interface it hasn't been translated yet and putting would be wrong.


mattiaseriksson Fri, 07/27/2007 - 00:35

Exactly. But you should be a little more specific in the outside_acl, and only permit access to real servers.

ephillips12 Sat, 07/28/2007 - 07:47

Thanks, I'll try this during our next maintenance window and I'll let you know of my success.

ephillips12 Thu, 08/30/2007 - 05:56

Ok I was finally able to give this a shot last night and for the most part it worked great. My only issue now is this. My 10.10.10.x network is not able to talk to IPs on the 66.66.66.x network. Is there something special I need to get this to work?

The reason for this is that some machines inside the internal network still have configurations pointing to IPs on the 66.66.66.x network. Until I get a chance to find them all and get them changed I need the ability for the 10.10.10.x network IPs to be able to talk to the 66.66.66.x network IPs.

Thanks for your help.

jeremyault Thu, 08/30/2007 - 07:16

That's an interesting problem and a good question. Basically you want to nat traffic from the inside (with a 66.66.66.X destination) to a 10.10.10.X destination address for the servers inside the network.. hmm.

Disclaimer - this is just a "brainstorm" and may not even work. Basically, you want to do a policy NAT (using an ACL) for the inside traffic with the following conditions.

1) traffic from 10.10.10 network to nats to on the inside interface

2) traffic from 10.10.10 network to nats to on the inside interface

3) traffic from 10.10.10 network to nats to on the inside interface

4) traffic from 10.10.10 network to any other nats to on the outside interface

It might look something like this. The "problem" is that I have no idea if you can nat from inside to inside. But if you could, it would probably look exactly like this:

access-list 124 permit ip host

access-list 125 permit ip host

access-list 126 permit ip host

access-list 150 permit ip any

nat (inside) 124 access-list 124

nat (inside) 125 access-list 125

nat (inside) 126 access-list 126

nat (inside) 150 access-list 150

global (inside) 124

global (inside) 125

global (inside) 126

global (outside) 150

Additionally, I don't know how the PIX will respond to traffic going back out on the same interface it came in on. I know it doesn't like to allow traffic (by default) from one interface to another with the same security level so it's possible you may need to add an ACL to the inside interface to permit the traffic to go back the way it came.

Maybe something like (unless I totally messed this one up - forgive me I'm learning too)

access-list 101 permit ip host

access-list 101 permit ip host

access-list 101 permit ip host

access-group 101 in interface inside

jeremyault Tue, 09/04/2007 - 16:17

Another way I was going to suggest would be to split the inside interface into two sub-interfaces and set it up so that one is the default gateways for the 10 network and the other is the gateway for the 66 network. Put them on different VLANS then set up the firewall to route between them.

May be more complex to do but it would (should) work.

Again, hypothetical solution. I'm hoping a real expert will confirm or squash my suggestions.

ephillips12 Thu, 09/06/2007 - 08:34

Ok I performed the changes and some of it worked. I actually found the issue with the network not being able to talk to the network, it was something on the outside_acl.

Everything is working good now. I have a few new problems. Let's deal with this one first, as it may fix other problems.

We have VPN tunnel to our production network (IP range We (our development network - can talk to the production network fine, however the production network cannot talk back to our internal development network. It can talk to our IPs (which are statically nat'd). So I need basically for our production PIX to route all traffic to through the VPN tunnel. It's already working for (routes it through the tunnel fine).

What do I need to do to get this to work?

Thanks so much.


This Discussion