Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT 1 Public IP to Multiple Internal IPs and replace Port#

I have a Cisco 515e running 7.0(1) and would like to allow a single public IP to translate traffic to different internal hosts on my network by what port they are trying to access on the outside. So for instance if someone entered X.X.X.X:85, the pix could replace the port with 80 and goto a web server A. And on that same public ip X.X.X.X:99 and point to another host and change the port to 80 so that web server could be reached. I am sure this is possible, any help greatly appreciated.


Re: NAT 1 Public IP to Multiple Internal IPs and replace Port#

static (inside,outside) tcp interface 85 web.server.ip www netmask

static (inside,outside) tcp interface 99 web.server2.ip www netmask

New Member

Re: NAT 1 Public IP to Multiple Internal IPs and replace Port#

One problem with the config of my NATs on my PIX is that the inside interface is not NATed. Rather just the subnet of my internal network. When I add a NAT rule of the above I get: "This static port mapping rule is overlapping with a dynamic address translation rule for X.X.X.X/ using global pool 1. Do you wish to proceed?" I suppose i could proceed without issue? In the end I would like to replace the subnet NAT using the inside interface, so that I don't receive this message every time i set up a static NAT. But i do not want to compromise deleting my security policies. Is it possible to insert the inside interface NAT and then remove the subnet NAT without deleting my Security Policies and causing too much disruption?

New Member

Re: NAT 1 Public IP to Multiple Internal IPs and replace Port#

why i can't access the web server from internet with you advice. following is my configuration:

PIX Version 7.2(1)


hostname wanshitong


enable password vda4u.Aio7ssMh5X encrypted




interface Ethernet0

nameif outside

security-level 0

ip address 218.xx.xx.26


interface Ethernet1

nameif inside

security-level 100

ip address


passwd vda4u.Aio7ssMh5X encrypted

boot system flash:/image.bin

ftp mode passive

dns server-group DefaultDNS


same-security-traffic permit intra-interface

access-list 100 extended permit tcp any interface outside eq www

access-list 100 extended permit ip any any

access-list 101 extended permit ip any any

pager lines 24

logging enable

logging asdm errors

mtu outside 1500

mtu inside 1500

no failover

monitor-interface outside

monitor-interface inside

asdm image flash:/asdm521.bin

asdm history enable

arp timeout 14400


global (outside) 1 interface

nat (inside) 1

nat (inside) 1

nat (inside) 1

nat (inside) 1

static (inside,outside) tcp interface www www netmask

access-group 100 in interface outside

access-group 101 in interface inside

route outside 218.xx.xx.254 1

route inside 1

route inside 1

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

username cisco password 3USUcOPFUiMCO4Jk encrypted

http server enable

http outside

http inside

http inside

http inside

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-vpn

telnet outside

telnet inside

telnet inside

telnet inside

telnet inside

telnet timeout 5

ssh outside

ssh timeout 60

ssh version 1

console timeout 0


class-map inspection_default

match default-inspection-traffic



policy-map global_policy

class inspection_default

inspect http

inspect ftp

inspect dns

inspect icmp

inspect icmp error

inspect tftp

inspect esmtp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect sip

inspect sqlnet

inspect sunrpc

inspect xdmcp

policy-map type inspect dns migrated_dns_map_1


message-length maximum 512


service-policy global_policy global

tftp-server inside pix721

prompt hostname context


: end