Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static NAT

I need to set up a static NAT for a surveillance camera on our network, so that it can be viewed as a demo to some people.

camera ip:

public ip:

I have just started dealing with a PIX so any help would be appreciated.

joe Bronze

Re: Static NAT

You want to create a static nat; or if you can restrict operation to known ports, the use those ports; but a static nat would be

static (inside,outside)

then an acl to permit the inbound ports

access-list outside_allowed_in permit tcp any host eq 8100

access-group outside_allowed_in in interface outside

as a rule you only have to apply the acl to the inbound outside interface for the tcp session to be permitted.

Let us know more about your survelliance camera and perhaps we can come up with some better rules.



Hall of Fame Super Blue

Re: Static NAT


Assuming the camera is on the inside of the pix

static (inside,outside) netmask

You will also need to make sure you allow the external access with an access-list on your outside interface. Are you okay with this ?


New Member

Re: Static NAT

Yes the camera is on the inside of the PIX. Ok, I am fine with setting up the NAT for the camera that doesn't seem to be too hard. For the acl would the below do? Also, do I need to add the new public IP to outside interface, basically do I need to have multiple ips assigned to that one outside interface to make it work.

access-list outside_allowed_in permit tcp any host eq 80

access-group outside_allowed_in in interface outside

Hall of Fame Super Blue

Re: Static NAT

No you don't need to assign the IP address to the outside interface assuming it is a different IP address than the one assigned to the outside interface. But the IP address you use must be

a) a public IP address routable on the Internet

b) the address must be routed to the outside interface of your pix - this ISP should be doing this for you.

access-list looks fine. Just be aware there is an implict deny at the end of any access-if list so if you need to allow any other connections from outside you need to allow them as well. Note this does not apply to return traffic from connections initiated from the inside ie. user internet surfing etc. This traffic will be allowed anyway.