One-to-One NAT

Unanswered Question
Sep 7th, 2008

Hello. I've got a pretty basic small network set up with a PIX 501 as the router. My inside subnet is a typical setup. I received four IP addresses from my ISP (which I will list if you like), and I currently have one bound to the outside interface. I'm doing typical PAT to pass the data from the inside network to the outside.

Now, what I want to get set up is this:

I have two printers on the internal network that I would like to have public IP's on them so the company's automated system can send the job's to a public IP from the remote office (I realize this is a horrible idea, but I'm working with some software company that refuses to do it any other way).

I'm just wondering if I can keep the internal IP's for the printers (as the people in the local office need to print to them, as well as remotely), and make some kind of NAT rule to do this that wont disturb my global NAT rule.

I've found a few examples on the net, but whenever I set it up, the external world doesn't seem to be able to find these public IP's that I just bind with NAT, and insert access rules to allow it (basically, I just want to allow anything to these public IP's from the outside due to the software companies requirements, again, a horrible idea, I know).

I was hoping that perhaps I could get some examples from the pros (you guys). Thanks in advance!


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Sun, 09/07/2008 - 14:12


printer1 = to be presented as public IP

printer2 = to be presented as public IP

On pix

static (inside,outside) netmask

static (inside,outside) netmask

And then in your access-list on the outside interface you need to allow access to these printers. You will need to know the port number (lets assume TCP/515) and you can either lock it down to the remote IP addresses (if you know them) or allow any eg.

access-list outside_access_in permit tcp any host eq 515

access-list outside_access_in permit tcp any host eq 515

If you can lock down the source IP addresses rather than use "any" that at least would supply a modicum of security. You may also want to consider using a site-to-site VPN from the remote site for increased security.

The access-list would need to be applied to the outside interface eg.

access-group outside_access_in interface outside

Note also there is an implicit "deny ip any any" at the end of any access-list so if you need to allow other connections initiated from outside your pix to your internal network then you need to add these to your access-list.


dbs-pcdoctor Sun, 09/07/2008 - 14:28

Thanks so much for the quick reply, Jon.

I will go ahead and give this a shot. I have actually brought up the VPN idea to them multiple times, but they are very stubborn about their approach to this matter. The security issues are a major concern of mine, but sometimes there's just no getting through to some people.

Just as a side note, if I take of the "eq " off the end, will it just allow any port? I will probably note end up doing this, but I am just curious.

Thanks again,


Jon Marshall Sun, 09/07/2008 - 14:34


Yes you can take the "eq

access-list outside_access_in permit ip any host


I can see you also appreciate the security issues by allowing this access. If vpn is not a possibility look to isolate the printers eg. private vlans or put them on a DMZ but this may cause problems if your internal users need them as well.

They may be stubborn but are they prepared to compensate you if your internal network is hacked ?



This Discussion