Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Static mapping

Any help is appreciated.

(1) Equipment: PIX515

(2) Connection scenario:

Far side WAN, PIX outside: However, all incoming IPs from the other end are: 10.100.100.x/24

(3) Need to map incoming 10.100.100.x to internal 172.30.1.x,. For example: client on the other end will connect to On the PIX, I need to translate to

Is this doable?

I've tried to do this on the PIX:

(a) outside interface IP:

(b) access-list: permit to

(c) static (inside, outside) to

To recap: what I want to accomplish is this:

I am handed th WAN IP address( and a range of other IPs for incoming(10.100.100.x). This range of IPs (10.100.100.x) need to be mapped one to one to the inetrnal IPs to established connection. And no, I can't have a range IPs that can be assigned to the outside interface directly.

Can this be done at all?

Thank you.


Re: Static mapping

Let's see if I understand:

From the PIX perspective:
Inside network is 172.30.1.x
Outside IP is
You need to translate connections pointing to 10.100.100.x to 172.30.1.x

static (in,out)
access-list 101 permit ip any
access-group 101 in interface outside

The above will work if the destination address of the incoming requests are 10.100.100.x and you
just want to NAT those address to your internal 172.30.1.x
There should be a route on the next-hop on the outside of the ASA to route 10.100.100.x to the ASA

Now, if I understand correctly the 10.100.100.x is the destination range correct?

Or is the source range from where the packets will be coming from?


Community Member

Re: Static mapping

Thank you.

From the Pix:outside IP is:, inside IP is: The network 172.30.1.x can be reached via another router.

Client will come from IPs: 10.90.90.x. They will connect to 10.100.100.x addresses.

Example: client ( initial connection via web broswer, addr: Once the packet reaches the PIX, will need to be translated to and be routed further inside the network (the routes within the network all works fine, I am sure of that).

For incoming: -> ->, so forth and so on.

Once I have the static statement and accessl-list, do I still need to have other statement(s)?

From my original post, after doing what I described, clients sometimes can connect and sometime there's no reponse. I am thinking either:

(1) it won't work at all since the pix outside interface is on and can't listen on 10.100.100.x (or the access-list permit statment takes care of that?)

(2) Othe than the access-list, static statement, I may be missing others.

Can you tell me what's the behavior in this case on the way back to the client since I don't have any other statement, other than:

global (outside) 1 (the outside interface) and I don't have any NAT statement.

Thank you. Appreciate it.

P.S. I wish I have a copy of the config with me at home but I don't.

Hall of Fame Super Blue

Re: Static mapping

nat (outside) 2 outside

global (inside) 2

will PAT all the 10.100.100.x addresses to on the inside of your pix.

If you want to do 1-1 mappings -

static (outside,inside) netmask

but you will need to setup a static for each 10.100.100.x address you want to translate and you will need a different 172.30.1.x address for each static translation.

Is this what you want ?


Community Member

Re: Static mapping

See above reply.

Thank you for your help.

Re: Static mapping

If you have a static NAT like this:
static (inside, outside) to

Then incoming and outgoing traffic will be translated between and
You don't need an additional NAT statement for outgoing traffic.

The issue here, is that the PIX outside is not on the 10.100.100.x range.
But this can be solve if having an appropiate route pointing to the outside of the PIX to 10.100.100.x

If you say that sometimes work, I assume the configuration is fine.
What's exactly the problem that you're having? That sometimes the clients won't connect?


Community Member

Re: Static mapping

Thank you.

From what you explained, it should work but the behavior is that the web app. we are running internally some time works perfectly and some time clients get reponses from the broiwser as connection not found or some sort (sorry don't remember exactly, but the standard IE reponse). The happens across the board so not client machine specific.

If I just do port forward only, it woks perfectly but than I can only reach one server. Clients need to reach quite a few internal servers. So, port forward is out.

Community Member

Re: Static mapping

You can try this, I use something similiar for site to site overlap, but it should work for this case as well:

access-list policy-nat-10.100.100.x ext permit ip
static (inside,outside) access-list policy-nat-10.100.100.x

As others have mentioned, you'll still need to permit http access to to permit the traffic inbound.


Community Member

Re: Static mapping

Thank you. I'll try this and will report back Monday.

CreatePlease to create content