Enable outside host to access inside private IP's

Unanswered Question
May 12th, 2003
User Badges:


I've got a small 29bit network that I'm using static statements to map the private inside IP's to the outside. This off course only gives us 6 publicly visible hosts. We've got a management PC on the outside of the PIX that we'd like to use to manage all host on the inside using their private IP's.

nat (inside) 1 0 0

global (outside) 1 interface

static (inside,outside) x.x.x.66 dns netmask 0 0

static (inside,outside) x.x.x.67 dns netmask 0 0

static (inside,outside) x.x.x.68 dns netmask 0 0

static (inside,outside) x.x.x.69 dns netmask 0 0

static (inside,outside) x.x.x.70 dns netmask 0 0

ip address outside x.x.x.65

ip address inside

So how would you enable host x.x.x.98 to access hosts 172.24.1.x as well as being able to access them on their public IP's ?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vikrantarora Mon, 05/12/2003 - 05:12
User Badges:


From my understanding of the pix you can allow access from x.x.x.98 only via public IP's and not private ones (i.e 172.24.1.X)

All you need is an access list corresponding to each host you want to allow access to. Than you need to apply it on the incoming traffic on the outside interface of the pix.

access-list acl_out permit ip host x.x.x.98 x.x.x.66

access-list acl_out permit ip host x.x.x.98 x.x.x.67

access-list acl_out permit ip host x.x.x.98 x.x.x.68

access-list acl_out permit ip host x.x.x.98 x.x.x.69

access-list acl_out permit ip host x.x.x.98 x.x.x.70

access-group acl_out in interface outside

May be you can use turbo access-list to include all 5 of these.

Hope it helps.


alitster Mon, 05/12/2003 - 05:39
User Badges:

Hi Vik,

The problem I have is that all the public IP address's are being used and I have more devices on the inside than I have public IP addresses.

I've tried using a static command to make the private IP's visible:

static (inside,outside) 172.24.1.x 172.24.1.x

though that caused a few strange problems. This PIX is at a different site to where I'm based. When I tried doing a ping from the remote site to one of my local hosts I got an error in my syslog server about denying ICMP from, which is correct; how that was getting accross the internet I don't know!

The other option I've tried is having a nat 0 access-list to disable nat between the inside and the one host on the outside which appears to be OK.



jdepies Mon, 05/12/2003 - 09:33
User Badges:

You cannot make your private IPs externaly visible. Remove those static commands.

What you can try is the extended static command which allows you to statically map one external IP to several internal IPs but just for certain ports.


static (inside,outside) TCP 25 25

this command above will forward all SMTP requests the PIX receives from the internet for public IP, to the internal IP on port 25 (SMTP).

Add as many of these static commands that you need for each service (port).

Hope this helps.



This Discussion