Natting 2 Globel IPs to one Local IP

Unanswered Question
Apr 9th, 2008
User Badges:

Hi everybody,

I have a web server inside the firewall and I need to publish two IP addresses to access this web server, but I need to have one IP address internally.

I can this using Extendable NATs in Cisco Routers, but I couldnt find a way to do it PIX 515E (Ver 6.2). I saw some one mentioned about policy based Natting in ASA, is it possible in PIX?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.5 (4 ratings)
husycisco Thu, 04/10/2008 - 03:23
User Badges:
  • Gold, 750 points or more

Hi Manjula,

Yes policy NAT is possible, but you dont need it really. All you have to do is adding another static command.

static (inside,outside) publicip1 webserverip netmask

static (inside,outside) publicip2 webserverip netmask

access-list outside_access_in permit tcp any host publicip1 eq www

access-list outside_access_in permit tcp any host publicip2 eq www

access_group outside_access_in in interface outside

Your 6.2 IOS is working with conduits instead access-list as far as I remember, you better upgrade your IOS to 6.3(5) or 7.2


manjula.dealwis Thu, 04/10/2008 - 15:39
User Badges:

Thanks for the reply Husy, But when I try to entry the second ststic mapping, that it throws an error saying "static overlaps with Publicip1 to Privateip.

In ASA they have done by using "extended" in access-list and mapping two ips. hxxp://

I cant use extended in access-list as it doesnt support that command.


pengfang Thu, 04/10/2008 - 19:28
User Badges:


1. From v7.x, ACL was more similar with IOS, just remove "extended" when you convert it from 7.x to 6.x.

2. "OverLapping" warning should be fine if the PIX take the command but reject it.

JORGE RODRIGUEZ Thu, 04/10/2008 - 20:20
User Badges:
  • Green, 3000 points or more

Manjula, you can accomplish this easily with policy NAT.

For example, say you have:

Local IP:

Public IP 1:

Public IP 2:

Services RDP TCP 3389

static (inside,outside) access-list policy_nat_rdp1

static (inside,outside) access-list policy_nat_rdp2

access-list policy_nat_rdp1 extended permit ip host any

access-list policy_nat_rdp2 extended permit ip host any

access-list outside_access_in extended permit tcp any host eq 3389

access-list outside_access_in extended permit tcp any host eq 3389

access-group outside_access_in in interface outside

you can omit the extended word, I am almost positive code 6.x supports policy nat, if I have time I will take a look at code 6.x releases notes.




manjula.dealwis Thu, 04/10/2008 - 21:49
User Badges:

Thanx PengFang and Jorge,

PengFang -

When I checked its looks like PIX doesnt take the command, in "sh run" only shows one entry.So the second entry has not taken.

Jorge -

I could use

access-list policy_nat_rdp1 permit ip host any

access-list policy_nat_rdp2 permit ip host any

But with out "extended" portion. It accepted`both lines.

But "static (inside,outside) access-list policy_nat_rdp1" was the problem. It doesnt take "policy_nat_rdp1". The syntax only allow IP addresses it seems it says "ERROR: Invalid global IP address access-list".

I really appriciate your Help on this. Thanks again.

NB - I use Cisco PIX Firewall Version 6.2(1)


This Discussion