Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Policy NAT


I have an situation with Policy NAT. I need to configure such that

1. client (outside) from to global addr will be translated to inside

2. client (outside) from to global addr will be translated to inside

I tried to use the following config but was reject but the PIX (7.2)

pix(config) access-list NET1 permit ip host

pix(config) access-list NET1 permit ip host

static (inside,outside) access-list NET1.

the error I received was:

ERROR: access-list used in static has different local addresses

Anyone can advise if this config is possible?

Community Member

Re: Policy NAT

Im not 100% sure about this, but if your natting from the outside in shouldn't your static command be:

static(outside,inside) access-list NET1 ?

The static command has to be done in order of "pre nat" interface then "post nat" interface, this may not necessarily be inside then outside.

Community Member

Re: Policy NAT

I think nothing wrong with the natting.

Pls check out

Under the Policy static nat, you will find the config similar to what I have configured. But I need more than to create an addition static entry for another inside host.


Re: Policy NAT

Hello CCIE,

Your issue is that statics are set up as followed:

static (real interface, mapped interface) mapped IP address, real ip address

When using an access list, it goes

static (real interface, mapped interface) mapped IP address, access-list defining real ip address traffic.

In your case, you access-list would be incorrect:

access-list NET1 permit ip host

access-list NET2 permit ip host

Which defines the real traffic (access-list is evaluated first before nat)

As well as your static being backwards:

static (real, mapped) mapped real

static (outside,inside) access-list NET1

static (outside,inside) access-list NET2

because technically, the 'mapped' ip address is on the inside

Assuming that your statements number 1 and 2 above, are correct, as summarized below: going to --> src address of gets translated to going to --> src address of gets translated to

Giving cbeswick some points, because he was technically correct, your static statement was backwards from what you stated your requirements were in 1. and 2.

As always, do a 'clear xlate' after making nat changes so that they can be rebuilt properly


Please rate this message if it solved some or all of your issue.

Community Member

Re: Policy NAT

Hi Jason,

You do not understand my requirement. If is so simple, I will not need to post it. I don't get CCIE for nothing. Btw, I prefer u address me as Samuel.

I need to translated the destination address when clients source from access global addr, which means will be translated to and not the client ip.

If I need to translate the source, nat outside or static outside will have serve my purpose.

Sorry if you misunderstand my requirement, no points for you.

Thanks for putting in the efforts.



Community Member

Re: Policy NAT


It seems like others are on the right track, but that we aren't fully understanding what you really need to accomplish here. I might not be understanding it either, but I'm going to give it a shot anyway.

Traffic is initiated from the outside subnets of and These are the source IP's and you do not need to do any source NAT. Correct so far? You do need to translate both destinations and to the same global address of, according to how it matches the access-list. If I'm still correct, the problem with this is going to be if traffic from the and both try to establish connections at the same time, I believe only one of the static translations will be built. The configuration you have going so far is for policy static NAT, not policy static PAT. This is what I think the commands should be so far,

static (inside,outside) access-l NET1

access-l NET1 permit ip host

access-l NET1 permit ip host

I don't think this will work for simultaneous inbound connections, the PIX will build the first translation that matches the access-list and will be persistently translated to only 1 internal IP until the translation is torn down. Using static PAT in your configuration will allow the single global to map to the different internals, but then you won?t be able to define a policy to match. Will the inbound connections for and being using the same service ports? If not, they you could go back to the simpler configuration of something like this to make it use the PAT translation and utilize access-list to control the access.

static (inside,outside) tcp www www

static (inside,outside) tcp https https

I really don't think this was your goal, but it's the only way I could image it might work. If I?m wrong here and someone finds a config that will make this work, with policy nat, it will interesting to learn about.

CreatePlease to create content